[Chapter-delegates] dnssec as a solution to dns poisoning the national dns infrastructure (.ro)

Eduard Tric eduard.tric at isoc.ro
Wed Nov 28 11:40:08 PST 2012 

Dan, Peter,
Thank you for your feedback.
As it has already happened in june with ipv6, Romanian isp's are keen to implement dnssec-aware resolvers ,but cannot do it without Rotld (.ro manager ) cooperation .
Regards,
Ed

----- Mesaj original -----
De la: "Dan York" <york at isoc.org>
Către: "Eduard Tric" <eduard.tric at isoc.ro>
cc: "Delegates Chapter" <chapter-delegates at elists.isoc.org>
Trimis: miercuri, 28 noiembrie, 2012 21:15:42
Subiect: Re: [Chapter-delegates] dnssec as a solution to dns poisoning the national dns infrastructure (.ro)

Ed, 




Today we've had a massive attack of .ro domains (google.ro yahoo.ro microsoft.ro , possibly others). 



Thank you for passing along the word of this attack. In catching up on a number of sites about the issue, it does seem that people are narrowing in on the source being a compromise at RoTLD. (For example, the latest update at the site Peter Koch pointed out: http://www.securelist.com/en/blog?weblogid=208194028 ) 


If it does turn out to be the case that someone was manipulating DNS records at the ccTLD registry, then unfortunately DNSSEC might not have been of much help as an attacker with registry access could have manipulated and subverted DNSSEC records. 


If it turns out to be something more like a DNS cache poisoning attack, then DNSSEC could have potentially helped if it was fully deployed. Please keep in mind that there are are two pieces to the DNSSEC puzzle: 
1. Domains (including the TLD) need to be signed. 
2. DNSSEC-validating DNS resolvers need to be in use at ISPs and other networks. 


If users in Romania do not have access to DNSSEC-validating DNS resolvers from their ISPs, having the domains signed won't matter as no one will be able to validate them and thereby be protected. 


As chapter delegate , are you aware if your national cctld is already secured by dnnssec ? 


FYI, one source of information about which ccTLDs can be found is at ICANN's website at: 


http://stats.research.icann.org/dns/tld_report/ 




Is this page the main Isoc entry point for dnsssec http://www.internetsociety.org/deploy360/dnssec/ ? 


Yes, that is the best page for technical and deployment-related content for DNSSEC. We also have another page in development that will be a bit higher-level at: 
http://www.internetsociety.org/what-we-do/internet-technology-matters/dnssec 




How can we cooperate with other chapters to demonstrate to the Romanan Government the benefits of a dnssec secured cctld ? 

Since the inet 2011 , held in Bucharest, we constantly warn the government and the industry about the risks of not implementing dnssec at .ro level. We need to elaborate an updated position (internet society Romania ) on this national security matter for government and the press asap. 


I would agree with Peter Koch that it might be best to wait a bit to see what the vulnerability behind today's attack turns out to be and if DNSSEC could help protect against the vulnerability. 


I definitely want to see DNSSEC more widely deployed, and to help you all in whatever way I can via Deploy360 to get DNSSEC deployed within your region, but I think we could wind up hurting our efforts if we advocate DNSSEC in response to an issue that turns out would not have been protected by DNSSEC. 


Thanks again for the pointer to the information, 
Dan 




-- 
Dan York 
Senior Content Strategist, Internet Society 
york at isoc.org +1-802-735-1624 
Jabber: york at jabber.isoc.org 
Skype: danyork http://twitter.com/danyork 


http://www.internetsociety.org/deploy360/ 

--

--

More information about the Chapter-delegates mailing list