After looking at the state of DNSSEC in some detail a little over a year ago in 2006, I've been intending to come back to DNSSEC to see if anything has changed, for better or worse, in the intervening period... To recap, DNSSEC is an approach to adding some "security" into the DNS. The underlying motivation here is that the DNS represents a rather obvious gaping hole in the overall security picture of the Internet, although it is by no means the only rather significant vulnerability in the entire system. One of the more effective methods of a convert attack in this space is to attack at the level of the DNS by inserting fake responses in place of the actual DNS response.
I loved John Todd's ETel presentation (podcast) on FreeNum, a scheme for bringing phone numbers to the Internet. Of course, I love identifiers and addresses and all that they enable, so it was a natural. Suppose you were a university campus and when you looked at your phone bill, you noticed that a lot of calls were to other universities. You've got a VoIP telephone system; they've all got VoIP telephone systems. You might wonder "isn't there some way to route these calls over the Internet and save some serious money?" The answer, of course is "yes" but making it usable is a little harder...
After much initial fanfare a couple of years ago ENUM has matured to a state where it is currently yet another under-achiever in the technology deployment stakes. ENUM initially presented itself as a very provocative response to the legacy telco position of monopolising public voice services through their exclusive control over the Public Switched Telephone Network (PSTN) and the associated controlling position over the telephone number space... The perception was that ENUM was going to dismantle these levers of control and open up the voice market to a new wave of competitive carriers. If the address plan was the key to the PSTN, then ENUM was intended unlock this network and position the new wave of Voice Over IP (VOIP) carriers to take over any residual treasures of the traditional voice market. Events have not played out according to these expectations...
In looking at the general topic of trust and the Internet, one of the more critical parts of the Internet's infrastructure that appears to be a central anchor point of trust is that of the Domain Name Service, or DNS. The mapping of "named" service points to the protocol-level address is a function that every Internet user relies upon, one way or another. The ability to corrupt the operation of the DNS is one of the more effective ways of corrupting the integrity of Internet-based applications and services. If an attacker can in some fashion alter the DNS response then a large set of attack vectors are exposed. ...The more useful question is whether it is possible to strengthen the DNS. The DNS is a query -- response application, and the critical question in terms of strengthening its function is whether it is possible to authenticate the answers provided by the DNS. DNSSEC provides an answer to this question.
ENUM has a critical role to play in telephony services convergence. Although many carriers are adopting ENUM there are myths swirling around the confuse newcomers. In data networks, the domain name system (DNS) is responsible for converting Uniform Resource Locators (URL's) to IP addresses in order to route data traffic. The ENUM protocol performs a similar essential function of linking E.164 telephone numbers to Universal Resource Identifiers (URIs) -- enabling communication services to use traditional phone numbers to set up calls over IP networks. Unfortunately, there's a good deal of hype and confusion around ENUM, which might lead carriers to delay ENUM implementations. That delay would be a mistake...
In follow-up to recent announcement on the release of the latest edition of the very popular DNS and BIND book -- often referred to as the bible of DNS -- CircleID has caught up with Cricket Liu, co-author and a world renowned authority on the Domain Name System. In this interview, Cricket Liu talks about emerging issues around DNS such as security and IPv6 support, and important new features such as internationalized domain names, ENUM (electronic numbering), and SPF (the Sender Policy Framework). "Cricket Liu: We're now seeing more frequent attacks against DNS infrastructure. ...Turns out that name servers are terrific amplifiers -- you can get an amplification factor of nearly 100x. These attacks have raised awareness of the vulnerability of Internet name servers, which is possibly the only positive result..."
I like the drift of the Pulver/Evslin proposal on emergency communications, and wish there was as vigorous a debate going on over here. I just hope we in the UK aren't jerked out of complacency by some major disaster -- although widespread use of pre-paid cellular means the problem of sunken landlines isn't as acute. Yet I can't help but wonder why the poor public has to wait for a disaster before they're given partial control over how their number maps to different destinations and services. Why can't I get a voicemail service from someone other than my connectivity provider? Why is ENUM hostage to the telcos, whose interest lies in ensuring that new services can only come from them?
Many communications networks are constructed for a single form of communication, and are ill suited to being used for any other form. Although the Internet is also a specialized network in terms of supporting digital communications, its relatively unique flexibility lies in its ability to digitally encode a very diverse set of communications formats, and then support their interaction over the Internet. In this way many communications networks can be mapped into an Internet application and in so doing become just another distributed application overlayed on the Internet. From this admittedly Internet-centric perspective, voice is just another Internet application. And for the growing population of Voice over IP (VoIP) users, this is indeed the case...
If there is one word in the telecommunications that has suffered from over-abuse for many years now, it's convergence. The term has been liberally applied to each successive generation of communications technology for their supposed ability to solve a myriad of service delivery problems within a single unifying converged carriage and service delivery solution. Unfortunately, the underlying reality has always been markedly different from these wondrous promises, and we continue to see an industry that deploys a plethora of service delivery platforms and an equally diverse collection of associated switching and service delivery technologies. One can't help but wonder at the collective gullibility of an industry that continues to herald the convergent attributes of each new generation of communications technology, while at the same time being forced to admit that previous convergent promises have never been realized.
Ever since Neustar announced they signed a deal with GSMA to oversea global database for the mobile operators last week (see also Washington Post), there are many debates about the deal online. "Neustar, a company that should certainly know better, has announced that they're going to create a .gprs TLD to serve the mobile phone industry This, of course, requires creation of a private root zone, against the very strong warnings in RFC 2826" said Steven Bellovin. To the more supportive John Levine: "This isn't quite as stupid as it seems. The GSM industry needs some way to maintain its roaming user database, the database is getting considerably more complicated with 3G features, and it looks to me like they made a reasonable decision to use DNS over IP to implement it rather than inventing yet another proprietary distributed database."