Interesting paper here:

The primary contribution of this paper is to expose the inherent risks involved in a basic Internet service.

Perils of Transitive Trust in the Domain Name System, Venugopalan Ramasubramanian and Emin Gun Sirer, In Proceedings of Internet Measurement Conference (IMC), Berkeley, California, October, 2005.

Well, no, not really. All the risks mentioned in the paper are common knowledge among people who deal with these things.

These risks create an artificial dilemma between failure resilience, which argues for more geographically distributed nameservers, and security, which argues for fewer centralized trusted nodes.

Well, no, not really. Fewer centralized trusted nodes wouldn’t necessarily increase security; they’d just reduce the number of targets that would be worth attacking. While a smaller trusted computing base may be better for security within a single organization, it’s not clear it is better for security of a distributed service such as DNS across the distributed Internet.

The paper further expresses surprise to find that many DNS servers are run by gasp academic institutions! The paper says such institutions do not have a financial relationship with the domains they serve and thus no fiduciary incentives to do it right. That’s true, but fiduciary incentives are not the only incentives, and the more diverse the administrators of DNS servers the less likely they are all to be simultaneously compromised by commercial or political pressures.

The paper goes on to document specific numbers of vulnerable nameservers. This information could be used to help fix the problem.

Of the 166771 nameservers we surveyed, 27141 have known vulnerabilities.

This is a step in the direction of a reputation system. Why not take the next two steps?

Here’s a rough sketch of a DNS reputation system:

1. Find out which DNS servers are running old buggy versions of software. OK, the authors of the paper claim to have done this.
2. Inform the administrators of those DNS servers, and give them a fixed time in which to fix them.
3. Then publish the names and addresses of those that don’t.

If that step (3) seems too draconian, use the dependency graph to determine what other nameservers depend on the buggy servers, and tell the administrators of the dependant nameservers. Might as well recommend DNSSEC while you’re at it. And of course iterate so as to check back later on all the surveyed nameservers.

In other words, don’t throw out the baby with the bathwater by centralizing nameserver. Instead, leverage the open decentralized nature of the Internet to fix the problem.

-jsq

PS: This paper seen on Dave Farber’s Interesting People list. It has also been noted in a BBC story.