A system administrator I knew at HP Labs, Mike Rodriquez, named his personal workstation “walstib.” Mike explained that it was an acronym for “What A Long, Strange Trip It’s Been,” which, he said, was a kind of motto among Deadheads. (I gather it’s a line from one of the many indistinguishable Grateful Dead songs. Sorry, Mike.)
So “WALSYIB” is my acronym for “What A Long, Strange Year It’s Been.” (And yes, I realize that I used a similar title for a previous blog post.) 2009 was a productive year: We made more progress in deployingDNSSEC in the last 12 months than in the previous 10 years. But we saw more attacks on DNS infrastructure, including cache poisoning attacks in the wild. And we saw the discovery (and subsequent patching) of more vulnerabilities in BIND.
Here, then, is the DNS year in review:
- January: My old friend Matt Larson and I announce The Ask Mr. DNS Podcast. (The high point of the DNS year, and it’s only January!) The ISP UkrTeleGroup, which hosted many malicious open recursive name servers, is “de-peered” by their uplink provider.
- February: IANA introduces the Interim Trust Anchor Repository (ITAR), a temporary clearinghouse for the trust anchors of top-level zones. VeriSign announces that they’ll sign all top-level zones they operate in the next 24 months. This includes .com and .net. Matt Larson later refines the timeline: .net will be signed in 2010, .com in 2011. .gov, the U.S. government’s top-level domain, is signed.
- March: .th (Thailand) becomes the first DNSSEC-signed zone in Asia.
- April: Hackers use an SQL injection attack against the main registrar in Puerto Rico to redirect users of the local versions of major web sites, while others use the same vector at a New Zealand registrar to redirect users of MSN’s New Zealand web site, Sony, HSBC and others. A cache poisoning attack in Brazil causes a banking Trojan to be served to the customers of a broadband carrier.
- May: A DDoS attack against a Chinese registrar takes out their name servers, and collateral damage caused by the response to the attack causes problems in many Chinese provinces.
- June: PIR begins signing .org, the first generic top-level domain (gTLD) to be signed, and the largest top-level zone to be signed.
- July:Eircom’s customers (Eircom is the largest broadband provider in Ireland) fall victim to a DNS cache poisoning attack which incidentally causes a DNS outage. BIND is patched for a DDoS vulnerability in which a specially crafted dynamicupdate can crash the name server
- September: .na (Namibia) becomes the first top-level zone in Africa to be signed. SWITCH begins a DNSSEC trial for the .ch (Switzerland) and .li (Liechtenstein) top-level zones. Niue’s .nu is signed.
- October:ICANN and VeriSign announce details of their arrangement to jointly administerthe signed root zone, as well as the timetable for signing the root.A flaw in the generation of the .se zone data causes a massive outage of Swedish domain names. Infoblox and The Measurement Factory release the results of theirfifth annual DNS Survey of the Internet’s DNS infrastructure. Michael Sinatra (of UC Berkeley–w00t!) discovers a flaw in BIND’s processing of DNSSEC-signed responses.
- November: Turkmenistan’s .tm is signed.
- December:Google announces their Public DNS service, offering free recursive nameservice. Neustar signs the .us zone.
{C}{C}{C}{C}{C}
What do we have to look forward to in 2010? The signing of the root zone by July 1, .net by the end of the year, and likely many more top-level zones. Internal U.S. government zones signed by the summer. Undoubtedly more vulnerabilities and more attacks, too. But if we see the amount of progress next year that we’ve already seen this year, the Internet will definitely be a safer place.
