DNS is Not and Has Never Been Secure

Today's a heavy posting day. For those who love content, here you go! For those of you who hate sifting through days and days worth of banal crap, I apologize.

Over the weekend, Google suffered a DNS DoS, by which I mean their DNS resource records were hijacked and google.com effectively vanished from the Internet.

Details remain sketchy, but I think it's safe to say the reason this happened was because someone managed to convince a lot of computers that an unauthoritative machine was authoritative for the google.com domain. In plain English: we all trust our computers to know how to find the machines that run google.com. Our computers trust other computers, and so on, right from your desktop PC to the DNS servers at Google headquarters. This trust is completely bogus, since DNS packets can be forged and there is no existing way to verify the real from the fake. Moreso, DNS servers don't always reliably trust each other, and this lets some caches be poisoned.

It's not a BIND problem. It's not a djbdns problem. It's not even a GoDaddy problem. It's partially a protocol problem, and mostly a social problem: there is no good way for people to guarantee that the only machines qualified to give you information about google.com are ns1.google.com, ns2.google.com, ns3.google.com, and ns4.google.com. It seems obvious to us humans, but getting computers to correctly operate this way is damned tricky.

Information regarding the problem is available in a couple of talks by D. J. Bernstein. Grep for instances of "DNS security mess". He's working on a solution. Maybe it will work, maybe it won't.