The Domain Name System (DNS) is used by virtually every Internet application, but has virtually no security. The DNS Security Extensions (DNSSEC) add essential authentication, but deploying DNSSEC in ...a large-scale environment is non-trivial. This paper examines the operational and technological considerations when DNS operators manage a largescale deployment, such as an ISP with tens of thousands of zones, or a top-level domain that manages millions of domain name resource records.
We state the discovery, threat posed, resolution of vulnerabilities analyzed and modus operandi of the mass attack implemented. Finally presented is a new idea currently being worked on, involving ...the use of cryptographic primitives that intend to bypass the theoretically naive "user-administrator" trust assumption as a novel attempt to mould into the upcoming DNS Security Extensions architecture for securing online transactions. The paper deals with the analysis and counter measures of a DNS based routing and packet monitoring attack implemented over a public switched telephone network ISP. All data gathered here is a result of an integrated attack that led to accumulation of original statistics over a period of time. Unlike conventional research carried out on isolated LANs which involve test data and limited subnets, thus network discovery hardly being an issue, our experiments involved creation of real databases out of which, information targeting a particular victim had to be mined due to the dynamic nature of IP assignment, multiple subnets, and multiple switched interfaces (PPP & Ethernet). Continuous monitoring and data mining thus played an important role since conventional ARP based attacks were not possible due to the involvement of multiple interfaces
Making the Case for Elliptic Curves in DNSSEC van Rijswijk-Deij, Roland; Sperotto, Anna; Pras, Aiko
Computer communication review,
10/2015, Letnik:
45, Številka:
5
Magazine Article
Odprti dostop
The Domain Name System Security Extensions (DNSSEC) add authenticity and integrity to the DNS, improving its security. Unfortunately, DNSSEC is not without problems. DNSSEC adds digital signatures to ...the DNS, significantly increasing the size of DNS responses. This means DNSSEC is more susceptible to packet fragmentation and makes DNSSEC an attractive vector to abuse in amplification-based denial-of-service attacks. Additionally, key management policies are often complex. This makes DNSSEC fragile and leads to operational failures. In this paper, we argue that the choice for RSA as default cryptosystem in DNSSEC is a major factor in these three problems. Alternative cryptosystems, based on elliptic curve cryptography (ECDSA and EdDSA), exist but are rarely used in DNSSEC. We show that these are highly attractive for use in DNSSEC, although they also have disadvantages. To address these, we have initiated research that aims to investigate the viability of deploying ECC at a large scale in DNSSEC.
DNS security extensions (DNSSEC) is a proposed set of standards for securely authenticating information in the Domain Name System. DNSSEC validators check the digital signatures on DNS data. However, ...designing a validator worth the operational costs is a challenge.
Virtually every Internet application relies on the Domain Name System, but security wasn't a major goal of its original design. The result is several critical vulnerabilities, reviewed in this ...introduction to a special issue on DNS security. To address the security challenges, the community developed the DNS Security Extensions (DNSSEC), which are undergoing deployment. The articles in this special issue summarize key aspects of how to deploy DNSSEC at authoritative servers, resolvers, and public key learning.
Two main security threats exist for DNS in the context of query/response transactions. Attackers can spoof authoritative name servers responding to DNS queries and alter DNS responses in transit ...through man-in-the-middle attacks, and alter the DNS responses stored in caching name servers. The IETF has defined the digital signature-based DNSSEC for protecting DNS query/response transactions through a series of requests for comments.