Abstract
We propose a transport layer cipher-suite negotiation mechanism for DNSSEC standard, allowing name-servers to send responses containing only the keys and signatures that correspond to the cipher-suite option negotiated with the resolver, rather than sending all the signatures and keys (as is done currently). As we show, a lack of cipher-suite negotiation, is one of the factors impeding deployment of DNSSEC, and also results in adoption of weak ciphers. Indeed, the vast majority of domains rely on RSA 1024-bit cryptography, which is already considered insecure. Furthermore, domains, that want better security, have to support a number of cryptographic ciphers. As a result, the DNSSEC responses are large and often fragmented, harming the DNS functionality, and causing inefficiency and vulnerabilities. A cipher-suite negotiation mechanism reduces responses sizes, and hence solves the interoperability problems with DNSSEC-signed responses, and prevents reflection and cache poisoning attacks.
| Original language | English |
|---|---|
| Pages | 346-355 |
| Number of pages | 10 |
| DOIs | |
| State | Published - 8 Dec 2014 |
| Event | 30th Annual Computer Security Applications Conference, ACSAC 2014 - New Orleans, United States Duration: 8 Dec 2014 → 12 Dec 2014 |
Conference
| Conference | 30th Annual Computer Security Applications Conference, ACSAC 2014 |
|---|---|
| Country/Territory | United States |
| City | New Orleans |
| Period | 8/12/14 → 12/12/14 |
Keywords
- Cipher suite negotiation
- DNS interoperability
- DNS security
- DNSSEC
Fingerprint
Dive into the research topics of 'Less is more: Cipher-suite negotiation for DNSSEC'. Together they form a unique fingerprint.Cite this
- APA
- Author
- BIBTEX
- Harvard
- Standard
- RIS
- Vancouver