|
On January 18, 2012, Comcast customers found they could not access the NASA.gov website. Some users assumed that Comcast was deliberately blocking the website or that NASA, like Wikipedia and Reddit, was participating in the “blackout” protests against the Stop Online Piracy Act (SOPA) going on that day. As it turned out, the truth was much less exciting, but it offers important lessons about DNSSEC.
As I’ve blogged before, Comcast is leading the way in DNSSEC deployment among American ISPs. All of its customers have been moved to DNS resolvers capable of validating DNSSEC signatures. This is great news for their security; it means Comcast customers are protected from man-in-the-middle DNS attacks against sites that choose to sign their domains with DNSSEC.
NASA, too, is an early DNSSEC adopter. Its domain, nasa.gov, is signed. Unfortunately, the agency experienced a hiccup in January that meant it temporarily published incorrect key information. That in turn meant Comcast customers—and anybody else using validating DNS resolvers—experienced an error when attempting to connect to the NASA site.
The problem occurred during a key rollover, as many early DNSSEC implementation issues do. It’s good security practice to periodically change the two cryptographic keys used by DNSSEC—the Key Signing Key (KSK) and the Zone Signing Key (ZSK)—to mitigate the risk of the keys being compromised by attackers. NASA was in the process of such a rollover when its problems occurred.
As I explained in a SecurityWeek column, during a key rollover you temporarily need two sets of keys live at the same time. Before removing the expiring keys from your DNS records, you need to bring the new keys on board until you can be certain that Time-To-Live limits on the old keys have expired and recursive name servers are no longer caching them. In other words, during the rollover, your domain name needs to be double-signed for a period.
According to Comcast, NASA made the mistake of going live with a new KSK while its Delegation Signer records still pointed to the old one. To a DNS resolver, this appeared as if the key was missing or had been compromised, so the resolution failed.
The problem was easily and quickly rectified by NASA, but the incident illustrates how even the most technically adept organizations can suffer teething troubles when they manually manage tricky procedures like key rollover. Early adopters need to have well-documented and rigorously adhered-to processes in place to ensure these kinds of slips don’t happen.
A better solution is automation. DNSSEC is an important security update to the Internet’;s plumbing, and it should not be a headache to deploy and manage. That’s why we offer organizations a way to take the risk and complexity out of DNSSEC with Afilias One Click DNSSEC service. Using One Click DNSSEC, Managed DNS customers are able to quickly and easily secure their domain names and seamlessly manage key rollovers—and avoid the embarrassment of an issue like NASA suffered.
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byCSC
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byDNIB.com
Is that a warranty?
It's a convenient solution
@RAM… As you mentioned that Comcast customer doesn’t able to access NASA.gov website because of the KSK rollover, this means that Comcast recursive server was dropping the reply for the NASA.gov as it was not able to authenticate the signed record which is getting from the NS of NASA.gov with the public key that it get from .gov domain (parent domain for NASA.gov).
Is Comcast was really doing that because till yet, i haven’t heard about the DNS feature by which you can drop the signed answer if it is not matching with the public key provided by parent domain.