DNSSEC: Interoperability challenges and transition mechanisms

Amir Herzberg, Haya Shulman

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

9 Scopus citations

Abstract

Recent cache poisoning attacks motivate protecting DNS with strong cryptography, by adopting DNSSEC, rather than with challenge-response 'defenses'. We discuss the state of DNSSEC deployment and obstacles to adoption. We then present an overview of challenges and potential pitfalls of DNSSEC, including: Incremental Deployment: we review deployment status of DNSSEC, and discuss potential for increased vulnerability due to popular practices of incremental deployment, and provide recommendations. Long DNSSEC Responses: long DNS responses are vulnerable to attacks, we review cache poisoning attack on fragmented DNS responses, and discuss mitigations. Trust Model of DNS: we review the trust model of DNS and show that it may not be aligned with the security model of DNSSEC. We discuss using trust anchor repositories (TARs) to mitigate the trust problem. TARs were proposed to allow transition to DNSSEC and to provide security for early adopters.

Original languageEnglish
Title of host publicationProceedings - 2013 International Conference on Availability, Reliability and Security, ARES 2013
Pages398-405
Number of pages8
DOIs
StatePublished - 2013
Event2013 8th International Conference on Availability, Reliability and Security, ARES 2013 - Regensburg, Germany
Duration: 2 Sep 20136 Sep 2013

Publication series

NameProceedings - 2013 International Conference on Availability, Reliability and Security, ARES 2013

Conference

Conference2013 8th International Conference on Availability, Reliability and Security, ARES 2013
Country/TerritoryGermany
CityRegensburg
Period2/09/136/09/13

Keywords

  • Chain of trust
  • DNS cache poisoning
  • DNS security
  • DNSSEC
  • Trust anchor

Fingerprint

Dive into the research topics of 'DNSSEC: Interoperability challenges and transition mechanisms'. Together they form a unique fingerprint.

Cite this