ICANN Panel Weighs DNS Vulnerabilities

Computerworld - The Internet Software Consortium's Berkeley Internet Name Domain (BIND) server software is the predominant system for running the Domain Name System (DNS). The Internet Corporation for Assigned Names and Numbers (ICANN), the nonprofit group responsible for the stability of the Internet, recently formed a security committee aimed, in part, at examining DNS security holes, including BIND vulnerabilities.
Stephen Crocker, who helped develop protocols for Arpanet, this month was named to lead the new committee. He spoke with Computerworld last week about some of the issues his committee is facing.

ICANN is responsible for ensuring the stability of the DNS. From a security perspective, what does that entail? One area is to work closely with [interested] parties to set the rules and procedures to ensure operations are smooth, reliable and resistant to being penetrated. There are also the root servers - the top-level machines that point to the .com, .biz, .org. and .net machines. There are 13 of these root servers around the world, and they are somewhat independent. It's not terribly important who is in charge so much as whether or not everybody has the same shared picture of what to do.

BIND was recently cited by the CERT Coordination Center as its top vulnerability concern. How susceptible is BIND to attack, and what can be done about it? Actually, not all of the servers are running BIND these days. Some diversity has developed, and I expect this trend will continue. That's the good news. The bad news is that older versions of BIND are still in use. This is not generally true at the servers for the root-level or the top-level domains, but it is a problem at many of the lower-level servers. In general, the root servers and the top-level domain servers are generally more secure than many of the lower-level servers.

Stephen Crocker: Setting DNS operating rules is a priority.

There has also been in preparation for several years the DNS Security Protocol [a standard using public keys], but it is not yet deployed. There are questions about how soon it can be deployed.

How vulnerable is DNS? I don't know yet. I do know if you were to take down all the root servers and ask the question, "How much damage would there be and how soon?" the answer [would be] that the impact would only be incremental for a couple of days before real trouble set in.
When you type in a name - www.icann.org, for instance - it has to be translated to an IPnumeric address. Your machine has the address of the local domain name server, usually run by your ISP. If it doesn't know what that translation is, then it passes it up the line. If it's a top-level domain that it's never seen, then it would go up to a root server. You can think of a root server as machine whose name is simply "." [dot]. The root servers have pointers to all of the top-level domains - .com, .us, .uk. If you took out even all of the root servers, what would happen is that brand-new attempts to resolve a name would be unanswered. But there are copies of the primary information cached in many places, and the information is updated every couple of days before it's refreshed.
So if you had a disruption in connectivity, everything would still go along, but the updates would be disrupted.

Read more about privacy in Computerworld's Privacy Knowledge Center.