Search DNSSEC Blog


Friday, March 6, 2009

Kaminsky Reluctant on DNSSEC

Dan Kaminsky, director of penetration testing at IOActive, got a lot of attention last year when he discovered a flaw in the Domain Name System, which underlies the Internet, that could allow poisoning of DNS caches. Since then, he said, he has become a believer in the DNS Security Extensions (DNSsec) for digitally signing DNS servers so that queries and responses can be trusted.

“I’ve never been a DNSsec supporter,” he said at the recent Black Hat DC security conference in Arlington, Va. But nothing scales like DNS, he said, including security tools. So he sees no other solution but to use DNSsec.

That doesn’t mean he’s happy about it. He said DNSsec is too complex to implement and administer, sentiments shared by many who have worked with the technology. But help is on the way as vendors develop appliances to automate the processes that generate and update keys and do the signing.

In the meantime, 25 percent of DNS servers have not been updated with the quick-fix patch issued last year for the vulnerability, and stealthy exploits have appeared. Kaminsky estimated that 1 percent to 3 percent of unpatched servers have been poisoned. It’s never too late to patch your servers, and it’s easier than implementing DNSsec.

Source: Government Computer News, "Kaminsky embraces DNSsec, reluctantly", Retrieved from from Mar 06, 2009


  1. This picture doesn't make sense... What the hell is up w/ the horse dude?

  2. horses are sometimes seen as reluctant, dude.

  3. Don't listen to the OP, your blog is really kewl, and troll suck. :)