Security researcher Dan Kaminsky made headlines last year when he discovered a critical DNS flaw. If left unpatched it could have crippled vast parts of the Internet.
As 2009 starts up, a new DNS (define) flaw has emerged, but the severity of the threat is less pronounced.
ISC (Internet Systems Consortium) the group leading development of the open source BIND DNS server that dominates the Internet, quietly issued a patch to multiple versions of BIND this week.
The flaw affects elements of DNSSEC (define), which are extensions used to add
an additional layer of security to the Domain Name System. DNSSEC protocols are what the ISC and other security experts identified as the long term solution to the Kaminsky flaw.
ISC and security watchers gave the flaw a low severity rating.
“The flaw is specific to certain usages of DNSSEC,” Joao Damas, senior programming manager, ISC told InternetNews.com. “It is strongly advised that all BIND DNSSEC deployments update in case they are using the particular pattern affected (DSA keys in some cases) and to prevent coming across the problem in the future unexpectedly.”
DNSSEC or DNS Security Extensions add the concept of digitally signed domain information to the global DNS system. DNSSEC relies on encryption for the signed domain information; in the case of BIND it uses elements of the OpenSSL libraries. OpenSSL is an open source technology for SSL (define) and it is there where a a signature validation bug was found that could potentially affect BIND DNS.
According to the ISC’s advisory on the flaw, it is theoretically possible to spoof answers returned from zones using the DNSKEY algorithms DSA (3) and ^7DSA8^ (6). Damas added that to date he is unaware of any weaponized exploits in the wild for the patched issue.
“From all we have seen the chances are slim that this would be able to be effectively weaponized,” Damas commented. “These (changes) are mostly about defensive programming, testing for return cases that we were not expecting before and flagging them if encountered.”