Stay networked. Get informed. Broadcast your projects.
Too much has been discussed about Core Internet Infrastructure and it is unlikely eliminate totally cybercrime. I have been taken to support this point of view deployment and implementation of DNSSEC. It is true that DNSSEC implementation faces a lot of challenges, and some of them are related with security of this protocol. According to (Mitchell, 2007) “DNSSEC allows transaction level authentication and secure zone transfers protecting all data in the zone during the transfer. In DNSSEC, Namebased authentication attacks can be detected”
It is true that DNSSEC it is a good tool to prevent Man-In-The-Middle attacks, but like Deployment Working Groups suggests “DNSSEC does not offer any protection against DoS attack” . In addition, Mitchell claims: “DNSSEC does not protect against buffer overruns or DDoS attacks, nor does it provide confidentiality.”1 Besides to this challenges are complexity of implementation of the protocol in developing countries like mine where DNSSEC is already implemented just on ccTLD but not even local CERT have statistic information about it, because it is still in creation.
Some studies has focused on discover what are vulnerabilities on DNSSEC protocol to add value to discussion on implementation like A
Security Evaluation of DNSSEC with NSEC3 on Stanford University and another ones between Colorado State University and UCLA and Gigaport Programme has realized tests to this protocol to know about it. In any new study theory affirms that DNSSEC is secure but need some improvements.
I have been studied DNSSEC protocol to implement on DNS server but I have observed that DNSSEC focuses on records of zone files, and some problems in signatures lifetimes.. It is important to know that to implement DNSSEC in a DNS is required that TLD be signed, the registar must support it and hosting provider too. I am working on a mayor office and some hosting providers does not offer this support yet. This is one of challenges to implement DNSSEC too. There is no exists a clear conscience of the threats, not in some providers that I have contacted.
It is no an easy task to achieve completely secure DNS, attacks can (and will) come at vulnerabilities in every layer. Any of these layers can filter an attack: Humans, Applications, Transport, Network, Physical. Attacks are only one of the reasons systems can fail. There are many other ways systems are vulnerable. Cryptography, for example, is only a tool in securing information systems and their communications but also has risks on authentication (pishing) or like password sniffing. In some cases encryption is too slow and cumbersome.
Some other Internet Security Mechanisms are already implemented like Firewalls, Intrusion Detection/Prevention Systems, Anti-Virus Software. These mechanisms can either be deployed on individual hosts or on dedicated network servers.
Like this exists a miriad of another vulnerabilities waiting to be discovered and studied. While h
umans exist there will be a way to vulnerate systems or to find bugs on Internet services. New vulnerabilities are discovered every day, this unfortunately also apply to cybercrime. New ways to exploiting registries and registrars systems are tested every day, but also bad practices and maybe lack of knowledge or simply do not aware about security issues make Internet Core weak. Kaminsky itself said on World Conference on International Telecommunications (WCIT-12) meeting "Things will get better, but be aware as we go ahead and re-engineer: A lot of forces are not about reliability, and because of that they are dangerous."
1 Mitchell, S. A. (2007). Security vulnerabilities in DNS and DNSSEC. Proceedings of ARES 2007, The International Conference on Availability, Reliability and Security (pp. 335-342). Vienna: IEEE Computer Society Press.