DNSSEC: Security and availability challenges

Author

Herzberg, Amir ; Shulman, Haya

Author_Institution

Dept. of Comput. Sci., Bar Ilan Univ., Ramat Gan, Israel

fYear

2013

fDate

14-16 Oct. 2013

Firstpage

365

Lastpage

366

Abstract

DNSSEC was proposed more than 15 years ago but its (correct) adoption is still very limited. Recent cache poisoning attacks motivate deployment of DNSSEC. In this work we present a comprehensive overview of challenges and potential pitfalls of DNSSEC, including: Vulnerable configurations: we show that inter-domain referrals (via NS, MX and CNAME records) present a challenge for DNSSEC deployment and may result in vulnerable configurations. Due to the limited deployment so far, these configurations are expected to be popular. Incremental Deployment: we discuss implications of interoperability problems on DNSSEC validation by resolvers and potential for increased vulnerability due to popular practices of incremental deployment. Super-sized Response Challenges: we explain how large DNSSEC-enabled DNS responses cause interoperability challenges, and can be abused for DoS and even DNS poisoning.

Keywords

cache storage; computer network security; open systems; CNAME record; DNS poisoning; DNS responses; DNSSEC deployment; DNSSEC validation; DoS; MX record; NS record; cache poisoning attacks; comprehensive overview; incremental deployment; inter-domain referrals; interoperability challenges; interoperability problems; super-sized response challenges; vulnerability; vulnerable configurations; Computer crime; Electronic mail; NIST; Servers; Web sites;

fLanguage

English

Publisher

ieee

Conference_Titel

Communications and Network Security (CNS), 2013 IEEE Conference on

Conference_Location

National Harbor, MD

Type

conf

DOI

10.1109/CNS.2013.6682730

Filename

6682730