DNSSEC: Interoperability Challenges and Transition Mechanisms

Author

Herzberg, Amir ; Shulman, Haya

Author_Institution

Comput. Sci. Dept., Bar Ilan Univ., Ramat Gan, Israel

fYear

2013

fDate

2-6 Sept. 2013

Firstpage

398

Lastpage

405

Abstract

Recent cache poisoning attacks motivate protecting DNS with strong cryptography, by adopting DNSSEC, rather than with challenge-response ´defenses´. We discuss the state of DNSSEC deployment and obstacles to adoption. We then present an overview of challenges and potential pitfalls of DNSSEC, including: Incremental Deployment: we review deployment status of DNSSEC, and discuss potential for increased vulnerability due to popular practices of incremental deployment, and provide recommendations. Long DNSSEC Responses; Long DNS responses are vulnerable to attacks, we review cache poisoning attack on fragmented DNS responses, and discuss mitigations; Trust Model of DNS: we review the trust model of DNS and show that it may not be aligned with the security model of DNSSEC. We discuss using trust anchor repositories (TARs) to mitigate the trust problem. TARs were proposed to allow transition to DNSSEC and to provide security for early adopters.

Keywords

Internet; cache storage; cryptography; open systems; DNS protection; DNSSEC deployment; Internet; TAR; anchor repositories; attack vulnerability; cache poisoning attacks; domain name system; incremental deployment; interoperability challenges; long DNS responses; long DNSSEC responses; strong cryptography; transition mechanisms; trust model; Cryptography; IP networks; Internet; Interoperability; Servers; Signal resolution; DNS cache poisoning; DNS security; DNSSEC; chain of trust; trust anchor;

fLanguage

English

Publisher

ieee

Conference_Titel

Availability, Reliability and Security (ARES), 2013 Eighth International Conference on

Conference_Location

Regensburg

Type

conf

DOI

10.1109/ARES.2013.53

Filename

6657269