Expert identifies the latest DNS challenges

DNS expert Cricket Liu this month will release the latest version of his book entitled “DNS and Bind,” one of the definitive textbooks about the Internet’s Domain Name System. Liu is vice president of architecture for InfoBlox, which sells network appliances that handle DNS and other related protocols.

I spoke recently with Liu about the status of DNS and the looming threats for corporate network managers. In the next two issues of the Service Provider News Report, I’ll provide excerpts from our conversation.

Q. How would you describe the state of the DNS?

A. We keep hanging new applications off of DNS like Enum. [Enum is an IETF standard finalized in October 2000 that allows an end user to type a telephone number into a Web browser and access a list of corresponding Internet resources for that number, such as an IP address.] Then we extend the protocol with DNSSEC and IDNs. [DNS Security Extensions is an IETF standard that uses digital signatures to provide authentication of DNS zones. Internationalized Domain Names are an IETF technique for supporting foreign language characters in domain names] We keep on adding all of this stuff, but we don’t take into account the fact that DNS in its pure form is fairly tricky to administer. The syntax is notoriously unforgiving. Name server operations is a black art. DNS is going to be an interesting area because a lot of these new applications like Enum have gravitated towards DNS because there is no other global look-up service on the Internet. But people are having a hard time with DNS as it is today without trying to manage user data in zones or trying to sign zones.

Q. You mentioned Enum. Where is that service at in terms of deployment?

A. There has been very little adoption in the corporate sector as far as I can tell. I just ran 11 seminars in Europe, and not one attendee was doing an Enum implementation. Any Enum adoption is happening at the carrier level, and the carriers are monkeying around with it rather than deploying it in production mode.

Q. How long will it be until Enum is a widely available service?

A. We’re likely to see something in two or three years.

Q. For years, DNS was a backwater in corporate networks. How serious are corporations about their DNS infrastructures today?

A. Most large corporations now understand how much [Microsoft’s] Active Directory depends on DNS. That’s the beginning of the understanding for them about DNS. Many companies are seeing that appliances are a very good solution for delivering mission-critical DNS.

Q. DNSSEC is long delayed. What’s the outlook for deployment?

A. It’s been over a decade since the IETF started working on DNSSEC. There’s been a substantial rewrite of the protocol, and the new version is called DNSSEC bis. It looks like they’ve ironed out some of the low-level protocol details. They’ve figured out a better way to do authentication of child zones. But it’s still going to be wicked hard to actually roll it out. The tools that you can get today in order to DNSSEC are very manual and command line driven. DNSSEC bis still requires a whole lot of administrator intervention in order to roll over keys and re-sign data. Your zone data swells by a factor of four or five when you sign it.

Q. Is anyone running DNSSEC bis operationally?

A. The Swedish Network Information Center is actually signing .se. For the first time, they have given people who run subzones of .se the opportunity to have it signed by a parent. I gave two talks in Sweden last week, and I asked if anyone was doing DNSSEC. The only person who was doing it was a friend of mine who runs a small consulting firm. None of the major Swedish firms is using DNSSEC bis.

Q. What about DNSSEC deployment here in the U.S.?

A. I don’t know of anyone using DNSSEC – even the military. I don’t know of any parts of the Defense Department that are using it in a production environment. It is still very hard. When I was writing the DNSSEC material for the book, I wanted to document how to do key rollover, and there was no simple way to document it. There was no source material. You had to figure it out by reading between the lines of the RFCs. So it is still a very manual process. The trend in production DNS servers is to move away from command line tools and move to GUIs. That’s one of the reasons that Microsoft’s DNS server has become quite popular. DNSSEC bis runs counter to that trend. I have to wonder what adoption it will get unless it becomes mandatory.