Title :
DNSSEC: Interoperability Challenges and Transition Mechanisms
Author :
Herzberg, Amir ; Shulman, Haya
Author_Institution :
Comput. Sci. Dept., Bar Ilan Univ., Ramat Gan, Israel
Abstract :
Recent cache poisoning attacks motivate protecting DNS with strong cryptography, by adopting DNSSEC, rather than with challenge-response ´defenses´. We discuss the state of DNSSEC deployment and obstacles to adoption. We then present an overview of challenges and potential pitfalls of DNSSEC, including: Incremental Deployment: we review deployment status of DNSSEC, and discuss potential for increased vulnerability due to popular practices of incremental deployment, and provide recommendations. Long DNSSEC Responses; Long DNS responses are vulnerable to attacks, we review cache poisoning attack on fragmented DNS responses, and discuss mitigations; Trust Model of DNS: we review the trust model of DNS and show that it may not be aligned with the security model of DNSSEC. We discuss using trust anchor repositories (TARs) to mitigate the trust problem. TARs were proposed to allow transition to DNSSEC and to provide security for early adopters.
Keywords :
Internet; cache storage; cryptography; open systems; DNS protection; DNSSEC deployment; Internet; TAR; anchor repositories; attack vulnerability; cache poisoning attacks; domain name system; incremental deployment; interoperability challenges; long DNS responses; long DNSSEC responses; strong cryptography; transition mechanisms; trust model; Cryptography; IP networks; Internet; Interoperability; Servers; Signal resolution; DNS cache poisoning; DNS security; DNSSEC; chain of trust; trust anchor;
Conference_Titel :
Availability, Reliability and Security (ARES), 2013 Eighth International Conference on
Conference_Location :
Regensburg
DOI :
10.1109/ARES.2013.53
