Q&A: DNS inventor Paul Mockapetris

Security people have to realise that if the design mechanisms for DNS are upgraded, the networks will have to do a series of upgrades to keep up. I'm actually speaking at an ENISA workshop in Brussels this week. And while they're an agency for a political organisation, in reality they share the fact that, while it's possible to share the art of securing internet applications, to deploy them is far from easy.

It's not easy to integrate all these new technologies with all applications. And it's not easy to get that integration to the point where it can be made seamless. In my presentation, I advocate tough love' for DNSSEC, where we can't just proclaim success over Kaminsky's DNS flaw, go away and rest on our laurels. But, instead, we must work on interfacing those patches to every application and migrating to IPv6.

How big a challenge do you feel the tough implementation and integration times ahead will be?

Half of all DNS systems haven't been upgraded, and that's including all levels of security, whether it be through 32, 64-bit, cryptographic or other means, leaving the threat of potentially turning whole sections of systems off if they are attacked. There is an issue with who signs the root too.

There's also a one in 65,000 chance of attack in an unpatched server. This rises to one in four billion in those that have been patched. But attack vectors move very quickly. Our strategy has been to slow down those attacks and to check to understand if an attack is genuine or just a misunderstanding.

Another thing to bear in mind is, if your websites and applications are high value domain targets for spoofers, you can be much more suspicious when allowing them to be updated. You can also only allow certain users to audit changes to a specific domain.

At Nominum, we have more data certified and signed for use for more applications than not. Our users are more comfortable using our DNS database, knowing it's been digitally signed and secured. This has important potential use in the example of the leery implications around VoIP [voice over IP] browsing because of DNS attacks. But, digital signature technologies in place can help scaling the quality of service. And with the right level of internet security there's a lot more you can do with other such open ended tools.

Miya Knights

A 25-year veteran enterprise technology expert, Miya Knights applies her deep understanding of technology gained through her journalism career to both her role as a consultant and as director at Retail Technology Magazine, which she helped shape over the past 17 years. Miya was educated at Oxford University, earning a master’s degree in English.

Her role as a journalist has seen her write for many of the leading technology publishers in the UK such as ITPro, TechWeekEurope, CIO UK, Computer Weekly, and also a number of national newspapers including The Times, Independent, and Financial Times.