Home / Blogs

NASA Teething Troubles Teach a DNSSEC Lesson

Ram Mohan

On January 18, 2012, Comcast customers found they could not access the NASA.gov website. Some users assumed that Comcast was deliberately blocking the website or that NASA, like Wikipedia and Reddit, was participating in the "blackout" protests against the Stop Online Piracy Act (SOPA) going on that day. As it turned out, the truth was much less exciting, but it offers important lessons about DNSSEC.

As I've blogged before, Comcast is leading the way in DNSSEC deployment among American ISPs. All of its customers have been moved to DNS resolvers capable of validating DNSSEC signatures. This is great news for their security; it means Comcast customers are protected from man-in-the-middle DNS attacks against sites that choose to sign their domains with DNSSEC.

NASA, too, is an early DNSSEC adopter. Its domain, nasa.gov, is signed. Unfortunately, the agency experienced a hiccup in January that meant it temporarily published incorrect key information. That in turn meant Comcast customers — and anybody else using validating DNS resolvers — experienced an error when attempting to connect to the NASA site.

The problem occurred during a key rollover, as many early DNSSEC implementation issues do. It's good security practice to periodically change the two cryptographic keys used by DNSSEC — the Key Signing Key (KSK) and the Zone Signing Key (ZSK) — to mitigate the risk of the keys being compromised by attackers. NASA was in the process of such a rollover when its problems occurred.

As I explained in a SecurityWeek column, during a key rollover you temporarily need two sets of keys live at the same time. Before removing the expiring keys from your DNS records, you need to bring the new keys on board until you can be certain that Time-To-Live limits on the old keys have expired and recursive name servers are no longer caching them. In other words, during the rollover, your domain name needs to be double-signed for a period.

According to Comcast, NASA made the mistake of going live with a new KSK while its Delegation Signer records still pointed to the old one. To a DNS resolver, this appeared as if the key was missing or had been compromised, so the resolution failed.

The problem was easily and quickly rectified by NASA, but the incident illustrates how even the most technically adept organizations can suffer teething troubles when they manually manage tricky procedures like key rollover. Early adopters need to have well-documented and rigorously adhered-to processes in place to ensure these kinds of slips don't happen.

A better solution is automation. DNSSEC is an important security update to the Internet';s plumbing, and it should not be a headache to deploy and manage. That's why we offer organizations a way to take the risk and complexity out of DNSSEC with Afilias One Click DNSSEC service. Using One Click DNSSEC, Managed DNS customers are able to quickly and easily secure their domain names and seamlessly manage key rollovers — and avoid the embarrassment of an issue like NASA suffered.

By Ram Mohan, Executive Vice President & CTO, Afilias. Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Related topics: Cybersecurity, DNS, DNS Security


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


"That's why we offer organizations a way to take the risk and complexity out of DNSSEC" John Berryhill  –  Mar 27, 2012 5:45 AM PDT

Is that a warranty?

It's a convenient solution Ram Mohan  –  Mar 27, 2012 7:02 AM PDT

It's a convenient solution

Is comcast reject domains whose key doesn't match Gaurav Kansal  –  Mar 31, 2012 10:31 AM PDT

@RAM… As you mentioned that Comcast customer doesn't able to access NASA.gov website because of the KSK rollover, this means that Comcast recursive server was dropping the reply for the NASA.gov as it was not able to authenticate the signed record which is getting from the NS of NASA.gov with the public key that it get from .gov domain (parent domain for NASA.gov).

Is Comcast was really doing that because till yet, i haven't heard about the DNS feature by which you can drop the signed answer if it is not matching with the public key provided by parent domain.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

DNS Security

Sponsored by Afilias


Sponsored by Verisign

IP Addressing

Sponsored by Avenue4 LLC

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll