Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.

Avenue4 LLCRead Message Promoted Post

Home / Blogs

NASA Teething Troubles Teach a DNSSEC Lesson

Ram Mohan

On January 18, 2012, Comcast customers found they could not access the NASA.gov website. Some users assumed that Comcast was deliberately blocking the website or that NASA, like Wikipedia and Reddit, was participating in the "blackout" protests against the Stop Online Piracy Act (SOPA) going on that day. As it turned out, the truth was much less exciting, but it offers important lessons about DNSSEC.

As I've blogged before, Comcast is leading the way in DNSSEC deployment among American ISPs. All of its customers have been moved to DNS resolvers capable of validating DNSSEC signatures. This is great news for their security; it means Comcast customers are protected from man-in-the-middle DNS attacks against sites that choose to sign their domains with DNSSEC.

NASA, too, is an early DNSSEC adopter. Its domain, nasa.gov, is signed. Unfortunately, the agency experienced a hiccup in January that meant it temporarily published incorrect key information. That in turn meant Comcast customers — and anybody else using validating DNS resolvers — experienced an error when attempting to connect to the NASA site.

The problem occurred during a key rollover, as many early DNSSEC implementation issues do. It's good security practice to periodically change the two cryptographic keys used by DNSSEC — the Key Signing Key (KSK) and the Zone Signing Key (ZSK) — to mitigate the risk of the keys being compromised by attackers. NASA was in the process of such a rollover when its problems occurred.

As I explained in a SecurityWeek column, during a key rollover you temporarily need two sets of keys live at the same time. Before removing the expiring keys from your DNS records, you need to bring the new keys on board until you can be certain that Time-To-Live limits on the old keys have expired and recursive name servers are no longer caching them. In other words, during the rollover, your domain name needs to be double-signed for a period.

According to Comcast, NASA made the mistake of going live with a new KSK while its Delegation Signer records still pointed to the old one. To a DNS resolver, this appeared as if the key was missing or had been compromised, so the resolution failed.

The problem was easily and quickly rectified by NASA, but the incident illustrates how even the most technically adept organizations can suffer teething troubles when they manually manage tricky procedures like key rollover. Early adopters need to have well-documented and rigorously adhered-to processes in place to ensure these kinds of slips don't happen.

A better solution is automation. DNSSEC is an important security update to the Internet';s plumbing, and it should not be a headache to deploy and manage. That's why we offer organizations a way to take the risk and complexity out of DNSSEC with Afilias One Click DNSSEC service. Using One Click DNSSEC, Managed DNS customers are able to quickly and easily secure their domain names and seamlessly manage key rollovers — and avoid the embarrassment of an issue like NASA suffered.

By Ram Mohan, Executive Vice President & CTO, Afilias Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.
Related topics: Cybersecurity, DNS, DNS Security
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

"That's why we offer organizations a way to take the risk and complexity out of DNSSEC" John Berryhill  –  Mar 27, 2012 4:45 AM PST

Is that a warranty?

It's a convenient solution Ram Mohan  –  Mar 27, 2012 6:02 AM PST

It's a convenient solution

Is comcast reject domains whose key doesn't match Gaurav Kansal  –  Mar 31, 2012 9:31 AM PST

@RAM… As you mentioned that Comcast customer doesn't able to access NASA.gov website because of the KSK rollover, this means that Comcast recursive server was dropping the reply for the NASA.gov as it was not able to authenticate the signed record which is getting from the NS of NASA.gov with the public key that it get from .gov domain (parent domain for NASA.gov).

Is Comcast was really doing that because till yet, i haven't heard about the DNS feature by which you can drop the signed answer if it is not matching with the public key provided by parent domain.

To post comments, please login or create an account.

Related

Topics

Mobile Internet

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Promoted Post

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.