Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security The Internet Technology

5 Years After Major DNS Flaw Found, Few US Companies Have Deployed Long-term Fix 313

Posted by Soulskill
from the rome-wasn't-built-in-5-years-either dept.
alphadogg writes "Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC) to alleviate this threat. In 2008, security researcher Dan Kaminsky described a major DNS flaw that made it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing. While DNS software patches are available to help plug the Kaminsky hole, experts agree that the best long-term fix is DNSSEC, which uses digital signatures and public-key encryption to allow websites to verify their domain names and corresponding IP addresses and prevent man-in-the-middle attacks. Despite the promise of DNSSEC, the number of U.S. corporations that have deployed this added layer of security to their DNS server is minuscule."
This discussion has been archived. No new comments can be posted.

5 Years After Major DNS Flaw Found, Few US Companies Have Deployed Long-term Fix

Comments Filter:
  • by whois (27479) on Tuesday January 29, 2013 @02:33PM (#42730077) Homepage

    It broke access to several DNSSEC enabled websites that were misconfigured. After a few months of support problems where we suggested the websites fix their issues and they ignored it, it was requested by management that we turn it off.

    It's a very bad design as it stands now. It's unable to return any error but NX Domain for DNSSEC errors for reasons of backword compatibility, which is stupid since you need a DNSSEC enabled resolver to make the request.

    It also has an incredibly steep learning curve that even experienced public key administrators face problems with.

I've never been canoeing before, but I imagine there must be just a few simple heuristics you have to remember... Yes, don't fall out, and don't hit rocks.

Working...