Title :
DNSSEC: Security and availability challenges
Author :
Herzberg, Amir ; Shulman, Haya
Author_Institution :
Dept. of Comput. Sci., Bar Ilan Univ., Ramat Gan, Israel
Abstract :
DNSSEC was proposed more than 15 years ago but its (correct) adoption is still very limited. Recent cache poisoning attacks motivate deployment of DNSSEC. In this work we present a comprehensive overview of challenges and potential pitfalls of DNSSEC, including: Vulnerable configurations: we show that inter-domain referrals (via NS, MX and CNAME records) present a challenge for DNSSEC deployment and may result in vulnerable configurations. Due to the limited deployment so far, these configurations are expected to be popular. Incremental Deployment: we discuss implications of interoperability problems on DNSSEC validation by resolvers and potential for increased vulnerability due to popular practices of incremental deployment. Super-sized Response Challenges: we explain how large DNSSEC-enabled DNS responses cause interoperability challenges, and can be abused for DoS and even DNS poisoning.
Keywords :
cache storage; computer network security; open systems; CNAME record; DNS poisoning; DNS responses; DNSSEC deployment; DNSSEC validation; DoS; MX record; NS record; cache poisoning attacks; comprehensive overview; incremental deployment; inter-domain referrals; interoperability challenges; interoperability problems; super-sized response challenges; vulnerability; vulnerable configurations; Computer crime; Electronic mail; NIST; Servers; Web sites;
Conference_Titel :
Communications and Network Security (CNS), 2013 IEEE Conference on
Conference_Location :
National Harbor, MD
DOI :
10.1109/CNS.2013.6682730
