NeuStar has applied for a US patent on a stop-gap technology for authenticating DNS queries without the need for DNSSEC.
The application, published today, describes a system of securing the DNS connection between authoritative name servers and recursive servers belonging to ISPs.
It appears to cover the technology underlying Cache Defender, a service it started offering via its UltraDNS brand last July.
It was created to prevent the kind of man-in-the-middle attacks permitted by the 2008 Kaminsky exploit, which let attackers poison recursive caches, redirecting users to phoney web sites.
The DNSSEC standard calls for DNS traffic to be digitally signed and was designed to significantly mitigate this kind of attack, but it has yet to be widely deployed.
Some ccTLDs are already signed, but gTLD users will have to wait until at least this summer. The .org zone will be signed in June and ICANN will sign the root in July but .com will not be signed until next year.
While Kaminsky’s vulnerability has been broadly patched, brute-force attacks are still possible, according an ISP’s experience cited in the patent filing.
“The patch that experts previously believed would provide enough time to get DNSSEC deployed literally provided the industry just a few extra weeks,” it reads.