Cryptology ePrint Archive: Report 2013/254

Towards Adoption of DNSSEC: Availability and Security Challenges

Amir Herzberg and Haya Shulman

Abstract: DNSSEC deployment is long overdue; however, it seems to be finally taking off. Recent cache poisoning attacks motivate protecting DNS, with strong cryptography, rather than with challenge-response ‘defenses’. Our goal is to motivate and help correct DNSSEC deployment. We discuss the state of DNSSEC deployment, obstacles to adoption and potential ways to increase adoption. We then present a comprehensive overview of challenges and potential pitfalls of DNSSEC, well known and less known, including:DNSSEC deployment is long overdue; however, it seems to be finally taking off. Recent cache poisoning attacks motivate protecting DNS, with strong cryptography, rather than with challenge-response ‘defenses’. Our goal is to motivate and help correct DNSSEC deployment. We discuss the state of DNSSEC deployment, obstacles to adoption and potential ways to increase adoption. We then present a comprehensive overview of challenges and potential pitfalls of DNSSEC, well known and less known, including:  Vulnerable configurations: we present several DNSSEC configurations, which are natural and, based on the limited deployment so far, expected to be popular, yet are vulnerable to attack. This includes NSEC3 opt-out records and interdomain referrals (in NS, MX and CNAME records).  Incremental Deployment: we discuss potential for increased vulnerability due to popular practices of incremental deployment, and recommend secure practice.  Super-sized Response Challenges: DNSSEC responses include cryptographic keys and hence are relatively long; we explain how this extra-long responses cause interoperability challenges, and can be abused for DoS and even DNS poisoning. We discuss potential solutions.  Vulnerable configurations: we present several DNSSEC configurations, which are natural and, based on the limited deployment so far, expected to be popular, yet are vulnerable to attack. This includes NSEC3 opt-out records and interdomain referrals (in NS, MX and CNAME records).  Incremental Deployment: we discuss potential for increased vulnerability due to popular practices of incremental deployment, and recommend secure practice.  Super-sized Response Challenges: DNSSEC responses include cryptographic keys and hence are relatively long; we explain how this extra-long responses cause interoperability challenges, and can be abused for DoS and even DNS poisoning. We discuss potential solutions.

Category / Keywords: DNSSEC, DNS security, DNS cache poisoning.

Date: received 3 May 2013, last revised 10 May 2013

Contact author: haya shulman at gmail com

Available formats: PDF | BibTeX Citation

Version: 20130510:095307 (All versions of this report)

Discussion forum: Show discussion | Start new discussion