[Resource Topic] 2013/254: Towards Adoption of DNSSEC: Availability and Security Challenges

Welcome to the resource topic for 2013/254

Title:
Towards Adoption of DNSSEC: Availability and Security Challenges

Authors: Amir Herzberg, Haya Shulman

Abstract:

DNSSEC deployment is long overdue; however, it seems to be finally taking off. Recent cache poisoning attacks motivate protecting DNS, with strong cryptography, rather than with challenge-response ‘defenses’. Our goal is to motivate and help correct DNSSEC deployment. We discuss the state of DNSSEC deployment, obstacles to adoption and potential ways to increase adoption. We then present a comprehensive overview of challenges and potential pitfalls of DNSSEC, well known and less known, including:DNSSEC deployment is long overdue; however, it seems to be finally taking off. Recent cache poisoning attacks motivate protecting DNS, with strong cryptography, rather than with challenge-response ‘defenses’. Our goal is to motivate and help correct DNSSEC deployment. We discuss the state of DNSSEC deployment, obstacles to adoption and potential ways to increase adoption. We then present a comprehensive overview of challenges and potential pitfalls of DNSSEC, well known and less known, including: - Vulnerable configurations: we present several DNSSEC configurations, which are natural and, based on the limited deployment so far, expected to be popular, yet are vulnerable to attack. This includes NSEC3 opt-out records and interdomain referrals (in NS, MX and CNAME records). - Incremental Deployment: we discuss potential for increased vulnerability due to popular practices of incremental deployment, and recommend secure practice. - Super-sized Response Challenges: DNSSEC responses include cryptographic keys and hence are relatively long; we explain how this extra-long responses cause interoperability challenges, and can be abused for DoS and even DNS poisoning. We discuss potential solutions. - Vulnerable configurations: we present several DNSSEC configurations, which are natural and, based on the limited deployment so far, expected to be popular, yet are vulnerable to attack. This includes NSEC3 opt-out records and interdomain referrals (in NS, MX and CNAME records). - Incremental Deployment: we discuss potential for increased vulnerability due to popular practices of incremental deployment, and recommend secure practice. - Super-sized Response Challenges: DNSSEC responses include cryptographic keys and hence are relatively long; we explain how this extra-long responses cause interoperability challenges, and can be abused for DoS and even DNS poisoning. We discuss potential solutions.

ePrint: https://eprint.iacr.org/2013/254

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .