Paper 2013/254

Towards Adoption of DNSSEC: Availability and Security Challenges

Amir Herzberg and Haya Shulman

Abstract

DNSSEC deployment is long overdue; however, it seems to be finally taking off. Recent cache poisoning attacks motivate protecting DNS, with strong cryptography, rather than with challenge-response ‘defenses’. Our goal is to motivate and help correct DNSSEC deployment. We discuss the state of DNSSEC deployment, obstacles to adoption and potential ways to increase adoption. We then present a comprehensive overview of challenges and potential pitfalls of DNSSEC, well known and less known, including:DNSSEC deployment is long overdue; however, it seems to be finally taking off. Recent cache poisoning attacks motivate protecting DNS, with strong cryptography, rather than with challenge-response ‘defenses’. Our goal is to motivate and help correct DNSSEC deployment. We discuss the state of DNSSEC deployment, obstacles to adoption and potential ways to increase adoption. We then present a comprehensive overview of challenges and potential pitfalls of DNSSEC, well known and less known, including: - Vulnerable configurations: we present several DNSSEC configurations, which are natural and, based on the limited deployment so far, expected to be popular, yet are vulnerable to attack. This includes NSEC3 opt-out records and interdomain referrals (in NS, MX and CNAME records). - Incremental Deployment: we discuss potential for increased vulnerability due to popular practices of incremental deployment, and recommend secure practice. - Super-sized Response Challenges: DNSSEC responses include cryptographic keys and hence are relatively long; we explain how this extra-long responses cause interoperability challenges, and can be abused for DoS and even DNS poisoning. We discuss potential solutions. - Vulnerable configurations: we present several DNSSEC configurations, which are natural and, based on the limited deployment so far, expected to be popular, yet are vulnerable to attack. This includes NSEC3 opt-out records and interdomain referrals (in NS, MX and CNAME records). - Incremental Deployment: we discuss potential for increased vulnerability due to popular practices of incremental deployment, and recommend secure practice. - Super-sized Response Challenges: DNSSEC responses include cryptographic keys and hence are relatively long; we explain how this extra-long responses cause interoperability challenges, and can be abused for DoS and even DNS poisoning. We discuss potential solutions.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Unknown where it was published
Keywords
DNSSECDNS securityDNS cache poisoning.
Contact author(s)
haya shulman @ gmail com
History
2013-05-10: revised
2013-05-08: received
See all versions
Short URL
https://ia.cr/2013/254
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2013/254,
      author = {Amir Herzberg and Haya Shulman},
      title = {Towards Adoption of {DNSSEC}: Availability and Security Challenges},
      howpublished = {Cryptology {ePrint} Archive, Paper 2013/254},
      year = {2013},
      url = {https://eprint.iacr.org/2013/254}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.