RealTime IT News

Another DNS flaw?

Security researcher Dan Kaminsky made headlines last year when he discovered a critical DNS flaw. If left unpatched it could have crippled vast parts of the Internet.

As 2009 starts up, a new DNS flaw has emerged, but the severity of the threat is less pronounced.

ISC (Internet Systems Consortium) the group leading development of the open source BIND DNS server that dominates the Internet, quietly issued a patch to multiple versions of BIND this week.

The flaw affects elements of DNSSEC , which are extensions used to add an additional layer of security to the Domain Name System. DNSSEC protocols are what the ISC and other security experts identified as the long term solution to the Kaminsky flaw.

ISC and security watchers gave the flaw a low severity rating.

"The flaw is specific to certain usages of DNSSEC," Joao Damas, senior programming manager, ISC told InternetNews.com. "It is strongly advised that all BIND DNSSEC deployments update in case they are using the particular pattern affected (DSA keys in some cases) and to prevent coming across the problem in the future unexpectedly."

DNSSEC or DNS Security Extensions add the concept of digitally signed domain information to the global DNS system. DNSSEC relies on encryption for the signed domain information; in the case of BIND it uses elements of the OpenSSL libraries. OpenSSL is an open source technology for SSL and it is there where a a signature validation bug was found that could potentially affect BIND DNS.

According to the ISC's advisory on the flaw, it is theoretically possible to spoof answers returned from zones using the DNSKEY algorithms DSA (3) and ^7DSA8^ (6). Damas added that to date he is unaware of any weaponized exploits in the wild for the patched issue.

"From all we have seen the chances are slim that this would be able to be effectively weaponized," Damas commented. "These (changes) are mostly about defensive programming, testing for return cases that we were not expecting before and flagging them if encountered."

While the ISC is pro-actively recommending that BIND DNS users update their servers with the patch, at least one DNS expert also notes that the new flaw isn't going to be big issue for most DNS server administrators

"The bug only seems to apply to recursive validation, so there doesn’t appear to be a need to upgrade authoritative-only name servers, even those hosting DNSSEC-signed zones," Cricket Liu, author of DNS and BIND Cookbook and a vice president at Infoblox, told InternetNews.com.

The global distributed DNS system that connects IP addresses to domain names relies on both authoritative and recursive name servers to function. Authoritative servers are ones that are responsible for domain information at a top-level while recursive function within an ISP or enterprise setting for caching and query information.

Liu also noted that the vulnerability workaround offered by ISC wouldn't cause too much trouble to adopt.

"The workaround offered—disabling validation of data signed with DSA—would likely have very little adverse impact, since DSA isn’t a very popular algorithm to use with DNSSEC," Liu stated.

To date, DNSSEC adoption has been slow, though the Kaminsky flaw helped to highlight the need. In December of 2008, a industry coalition was formed to help spread the adoption of DNSSEC for wide global deployment.