June 23rd was the 25th anniversary of the Domain Name System (DNS), and I spent it at the National Science Foundation (NSF) reviewing proposals, several of which were for innovative DNS replacements of varying degrees of merit. In the rough-and-tumble world of the Internet, it's clear that several types of evolution are underway:
When you, the user, want to go to a Website, your browser asks a local DNS server for the address and other information about that site, and the local server may have to roam the Internet for the answer. DNS servers are so good at it that nobody ever notices that the DNS name space is really composed of more than 100 million separate patches.
That isn't an accident: The original design of the DNS worked very hard to allow unlimited distribution and caching to improve performance. Security against bad actors wasn't in the design -- just as the Wright brothers' first airplane didn't have reclining seats, bathrooms, or beverage carts. The critics of the time thought there was too much in the original DNS, rather than too little.
What this meant was that if you could created a passable forgery when a DNS server was looking for an answer, it would be believed. Bad guys got to work. If you could watch what a DNS server sends, you could know when it would believe a forgery, as well as how to include the right 16-bit ID field in the fake response (it's in the query). But if you couldn't do that, you could guess when the server was going to need some information, or even ask for it just as you bombarded the server with forged responses, hoping one or another would be believed. Servers with weak random-number generators were particularly predictable and hence vulnerable. But, essentially, the game was that the attacker would get an infrequent opportunity to try an attack on a specific domain.
When an attack succeeds, one can divert mail or Web surfers, steal passwords, and the like.
Dan Kaminsky changed the game early this year, by noticing that it was possible to make continuous, rather than infrequent, attacks against weak DNS implementations. Luckily, he's a good guy, so this resulted in a group of leading DNS software providers, like Nominum Inc. , Microsoft Corp. (Nasdaq: MSFT), and ISC, implementing whatever fixes they needed to resist a new attack. But now the idea is public, and you can be sure the bad guys are comparing the "before" and "after" open-source versions to figure out how the Kaminsky approach works.
What does this mean?
If you haven't updated your DNS code recently, you are vulnerable to the most effective cache poisoning attack ever. Before Kaminsky, DNS wasn't the strongest link in a user's security chain, but it was far from the weakest. This is still true if you are updated, but if not... watch out!
The DNS Security Extensions (DNSSec) is proposed as the ultimate answer here, but after over a decade in the making, it's still cumbersome to deploy.
Once upon a time, ICANN thought that adding new top-level domains (TLDs) was too risky, despite the advice from all of the technical community that adding a few was safe. Oddly enough, adding new country codes was safe. One, two, ten, a hundred country codes, but still ICANN worried. Creating a new generic TLD (e.g., .biz, .cat) was a huge effort and expensive, but folks lined up to pay and own a chunk of cyberspace.
Next, we saw an ICANN RFP to get a contractor to write an RFP for ICANN for new TLDs (yes, an RFP to write an RFP). Now, one might think that if ICANN had any core competence, it should lie in managing the addition of new names, but the effort led nowhere.
Learning from the pattern of .com, ICANN realized that its budget would be enhanced if the six-figure cost of requesting a new TLD was just thrown open to those with six-figure checkbooks, regardless of merit. When you get paid by request, why limit requests?
Where will this lead?
Firstly, the consultants and marketeers are busy -- very busy. We'll see all kinds of new "marketectures" out there. If the expected tidal wave of new registrations materializes, ICANN will become the new OPEC for cyberspace oil.
But will all the governments, the U.N., and the like be able to resist staging a hostile takeover? Is it time to short .com, i.e., Verisign?
One thing is certain: The advertisers and marketeers are running TLD evolution now. It should be exciting.
— Paul Mockapetris, Inventor of the Domain Name System (DNS)