Home / News I have a News Tip

Study Assesses Potential Impact of DNSSEC on Broadband Consumers, Results Not Good

Recent collaborative test by Core Competence and Nominet have concluded that 75% of common residential and small SOHO routers and firewall devices used with broadband services do not operate with full DNSSEC compatibility "out of the box". The report presents and analyzes technical findings, their potential impact on DNSSEC use by broadband consumers, and implications for router/firewall manufacturers. Included in its recommendations, the report suggests that as vendors apply DNSSEC and other DNS security fixes to devices, consumers should be encouraged to upgrade to the latest firmware.

The full report can be downloaded here [PDF].

Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Not really seeing the issue... Dave Howe  –  Sep 16, 2008 10:52 AM PST

Sure, dns poisoning is a major vulnerability, but most residential users should be restricting dns traffic purely to their isp or other dns provider - they shouldn't be walking the dns tree anyhow, so the odds of an attacker being able to spoof a reply to their query is pretty low. Provided the ISP (or other provider) has a clean resolver, their own feed should also be clean.

Yes, the customer will be talking to Carl Byington  –  Sep 16, 2008 4:52 PM PST

Yes, the customer will be talking to their provider's dns server, but eventually those questions will be asking for dnssec answers, and it is those dnssec answers that may or may not make it back thru the residential gateway proxy to the internal machine that asked the question.

of course... Dave Howe  –  Sep 16, 2008 11:45 PM PST

but those *answers* don't have to be DNSSEC. DNSSEC should be applied at the provider level, not at the consumer level - once the ISP has a (known good, DNSSEC approved) answer, it can serve that to its customers using normal DNS. DNSSEC is a painful protocol anyhow, and requires you to be able to do digital signatures (in its rfc form - fixed admittedly in some of the draft replacements - it also allows you to walk a zone and effectively perform a zone transfer, something we have been locking down on in recent years as it just makes life too easy for certain types of attacker)

End-user DNSSEC responses Ray Bellis  –  Sep 17, 2008 2:15 AM PST

It's not expected that ISPs' recursive resolvers will unilaterally reject DNS responses that fail DNSSEC validation.

Usually they would only do this if the client (i.e. stub) has indicated that it is security aware by setting the "DO" bit.

However our study did determine that some of the routers couldn't correctly pass the "DO" bit.  Others also had problems returning the "AD" bit that signifies successful validation.

Clarification Ray Bellis  –  Sep 17, 2008 8:07 AM PST

Ok, that was incorrect.

Validating recursors will only set the AD bit in the response if the request contained the DO bit.

However it is allowable (indeed expected) that an upstream resolver can return SERVFAIL if a domain fails DNSSEC validation, according to the ISP's locally configured policy.

However if the client wants to use a different policy, they must either run a fully validating caching resolver locally, or "forward" (in the DNS sense) their queries to an upstream recursive resolver with the DO and CD bits set.

The former configuration potentially suffers from Kaminsky-style cache poisoning attacks due to poor NAT source port randomisation.  The latter approach would be affected by the DNSSEC flag compatibilities highlighted in our report.

To post comments, please login or create an account.

Related

Topics

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias