Home / Blogs

NASA Teething Troubles Teach a DNSSEC Lesson

Ram Mohan

On January 18, 2012, Comcast customers found they could not access the NASA.gov website. Some users assumed that Comcast was deliberately blocking the website or that NASA, like Wikipedia and Reddit, was participating in the "blackout" protests against the Stop Online Piracy Act (SOPA) going on that day. As it turned out, the truth was much less exciting, but it offers important lessons about DNSSEC.

As I've blogged before, Comcast is leading the way in DNSSEC deployment among American ISPs. All of its customers have been moved to DNS resolvers capable of validating DNSSEC signatures. This is great news for their security; it means Comcast customers are protected from man-in-the-middle DNS attacks against sites that choose to sign their domains with DNSSEC.

NASA, too, is an early DNSSEC adopter. Its domain, nasa.gov, is signed. Unfortunately, the agency experienced a hiccup in January that meant it temporarily published incorrect key information. That in turn meant Comcast customers — and anybody else using validating DNS resolvers — experienced an error when attempting to connect to the NASA site.

The problem occurred during a key rollover, as many early DNSSEC implementation issues do. It's good security practice to periodically change the two cryptographic keys used by DNSSEC — the Key Signing Key (KSK) and the Zone Signing Key (ZSK) — to mitigate the risk of the keys being compromised by attackers. NASA was in the process of such a rollover when its problems occurred.

As I explained in a SecurityWeek column, during a key rollover you temporarily need two sets of keys live at the same time. Before removing the expiring keys from your DNS records, you need to bring the new keys on board until you can be certain that Time-To-Live limits on the old keys have expired and recursive name servers are no longer caching them. In other words, during the rollover, your domain name needs to be double-signed for a period.

According to Comcast, NASA made the mistake of going live with a new KSK while its Delegation Signer records still pointed to the old one. To a DNS resolver, this appeared as if the key was missing or had been compromised, so the resolution failed.

The problem was easily and quickly rectified by NASA, but the incident illustrates how even the most technically adept organizations can suffer teething troubles when they manually manage tricky procedures like key rollover. Early adopters need to have well-documented and rigorously adhered-to processes in place to ensure these kinds of slips don't happen.

A better solution is automation. DNSSEC is an important security update to the Internet';s plumbing, and it should not be a headache to deploy and manage. That's why we offer organizations a way to take the risk and complexity out of DNSSEC with Afilias One Click DNSSEC service. Using One Click DNSSEC, Managed DNS customers are able to quickly and easily secure their domain names and seamlessly manage key rollovers — and avoid the embarrassment of an issue like NASA suffered.

By Ram Mohan, Executive Vice President & CTO, Afilias. Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Related topics: DNS, DNS Security, Security

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

"That's why we offer organizations a way to take the risk and complexity out of DNSSEC" John Berryhill  –  Mar 27, 2012 4:45 AM PST

Is that a warranty?

It's a convenient solution Ram Mohan  –  Mar 27, 2012 6:02 AM PST

It's a convenient solution

Is comcast reject domains whose key doesn't match Gaurav Kansal  –  Mar 31, 2012 9:31 AM PST

@RAM… As you mentioned that Comcast customer doesn't able to access NASA.gov website because of the KSK rollover, this means that Comcast recursive server was dropping the reply for the NASA.gov as it was not able to authenticate the signed record which is getting from the NS of NASA.gov with the public key that it get from .gov domain (parent domain for NASA.gov).

Is Comcast was really doing that because till yet, i haven't heard about the DNS feature by which you can drop the signed answer if it is not matching with the public key provided by parent domain.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Dyn Partners with the Internet Systems Consortium to Host Global F-Root Nameservers

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

Domain Management Handbook from MarkMonitor

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

Sponsored Topics

Port25

Email

Sponsored by
Port25
Verisign

Security

Sponsored by
Verisign
Afilias

DNS Security

Sponsored by
Afilias
Afilias - Mobile & Web Services

Mobile

Sponsored by
Afilias - Mobile & Web Services