Home / Blogs

NASA Teething Troubles Teach a DNSSEC Lesson

On January 18, 2012, Comcast customers found they could not access the NASA.gov website. Some users assumed that Comcast was deliberately blocking the website or that NASA, like Wikipedia and Reddit, was participating in the “blackout” protests against the Stop Online Piracy Act (SOPA) going on that day. As it turned out, the truth was much less exciting, but it offers important lessons about DNSSEC.

As I’ve blogged before, Comcast is leading the way in DNSSEC deployment among American ISPs. All of its customers have been moved to DNS resolvers capable of validating DNSSEC signatures. This is great news for their security; it means Comcast customers are protected from man-in-the-middle DNS attacks against sites that choose to sign their domains with DNSSEC.

NASA, too, is an early DNSSEC adopter. Its domain, nasa.gov, is signed. Unfortunately, the agency experienced a hiccup in January that meant it temporarily published incorrect key information. That in turn meant Comcast customers—and anybody else using validating DNS resolvers—experienced an error when attempting to connect to the NASA site.

The problem occurred during a key rollover, as many early DNSSEC implementation issues do. It’s good security practice to periodically change the two cryptographic keys used by DNSSEC—the Key Signing Key (KSK) and the Zone Signing Key (ZSK)—to mitigate the risk of the keys being compromised by attackers. NASA was in the process of such a rollover when its problems occurred.

As I explained in a SecurityWeek column, during a key rollover you temporarily need two sets of keys live at the same time. Before removing the expiring keys from your DNS records, you need to bring the new keys on board until you can be certain that Time-To-Live limits on the old keys have expired and recursive name servers are no longer caching them. In other words, during the rollover, your domain name needs to be double-signed for a period.

According to Comcast, NASA made the mistake of going live with a new KSK while its Delegation Signer records still pointed to the old one. To a DNS resolver, this appeared as if the key was missing or had been compromised, so the resolution failed.

The problem was easily and quickly rectified by NASA, but the incident illustrates how even the most technically adept organizations can suffer teething troubles when they manually manage tricky procedures like key rollover. Early adopters need to have well-documented and rigorously adhered-to processes in place to ensure these kinds of slips don’t happen.

A better solution is automation. DNSSEC is an important security update to the Internet’;s plumbing, and it should not be a headache to deploy and manage. That’s why we offer organizations a way to take the risk and complexity out of DNSSEC with Afilias One Click DNSSEC service. Using One Click DNSSEC, Managed DNS customers are able to quickly and easily secure their domain names and seamlessly manage key rollovers—and avoid the embarrassment of an issue like NASA suffered.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Ram Mohan, Chief Operating Officer at Afilias

Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Visit Page

Filed Under

Comments

"That's why we offer organizations a way to take the risk and complexity out of DNSSEC" John Berryhill  –  Mar 27, 2012 12:45 PM

Is that a warranty?

It's a convenient solution Ram Mohan  –  Mar 27, 2012 2:02 PM

It's a convenient solution

Is comcast reject domains whose key doesn't match Gaurav Kansal  –  Mar 31, 2012 5:31 PM

@RAM… As you mentioned that Comcast customer doesn’t able to access NASA.gov website because of the KSK rollover, this means that Comcast recursive server was dropping the reply for the NASA.gov as it was not able to authenticate the signed record which is getting from the NS of NASA.gov with the public key that it get from .gov domain (parent domain for NASA.gov).

Is Comcast was really doing that because till yet, i haven’t heard about the DNS feature by which you can drop the signed answer if it is not matching with the public key provided by parent domain.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com