- DNSSEC is supposed to be deployed rapidly and help improve security.
- DNSSEC is part of a global effort to deploy new security measures that will help the DNS perform as people expect it in a trustworthy manner
- However, deplyoment is slow and DNSSEC scalability is questioned by some experts and operators.
- Find out – read on we tell you the story.
Recently we discussed:
Already during 2006 we pointed out that DNSSEC (click on this link – choose Login as Guest – click on this linke again and you get access to some definitions) deplyoment was slow even though NISST had offered an extensive deployment guide:
Domain Name System Security Extensions (DNSSEC) intends to ensure that that requests are digitally signed and authenticated. This works as a defence against forged DNS data, a product of various kinds of attacks. For instance, an example is such as DNS cache poisoning. The latter enables an attacker to maybe trick unsuspecting survers into visiting a bogus website that poses as the real website of a bank.
Naturally, there are some politics behind the idea as outlined here:
The problem of trust can be described in two ways:
1) How do we know that CyTRAP.eu is is managed by the owner of the CyTRAP.eu domain?
2) As well, do we know that the owner of the CyTRAP.eu domain is CyTRAP Labs?
Current standard certificates attempt to resolve the challenge posed by problem A.
Problem B is now left to what some call “extended validation” certificates. In addition, in some scenarios problem B does not exist because the domain name is the identity that one cares about.
To illustrate, if I send e-mail to user-23@Yahoo.dk I may not care about who owns the domain yahoo.dk except that I want the e-mail to reach yahoo.dk and not a bogus site.
A DNSSEC PKI also addresses only problem A. It does so more directly, however, because the ownership of the domain as well as one’s ability to sign DNS records are tightly connected.
One has to find a way to authenticate domain ownership independently whereby one usually relies on domain registration information. Unfortunately, one can subvert this authentication process.
Some risks with a DNSSEC PKI
Usually, the public signing key for a domain is established as part of the registration process. Thereafter it is managed via interaction with the registrar. In this case one can undermine the validity of signed zone data by proceeding by compromising:
1. the domain’s signing key;
2. of an ancestor zone’s signing key;
3. of the domain owner’s registrar account; and
4. of whatever mechanism registrars use to submit public keys to the TLD registries for signing.
The domain signing key can be kept off line, thereby protecting it against some compromising efforts by malicious people. Nevertheless, compromising the signing key is higher, since it may allow a successful attacker to go ahead and issue many certificates.
Point 2 has a similar impact, since if any of the private key of one of the certified authorities (CAs) is being compromised, false certificates can be issued. And while the DNSSEC approach lowers the risk becuase there are fewer keys that must be proteteced, the risk remains.
Point 3 means that since current validation is founded on domain registration data, an attacker compromising the registrar account has a scary impact.
Point 4 might be limited if the Trust Anchor Repository (TAR) approach is rolled out extensively and proofs its scalability and workability in practice.
Please click on the link, choose option Guest Login – click on this link again and you get access to the extensive material offered in CyTRAP Labs’ glossaries explanations for geeks and other inquiring minds
Care to leave a comment below, how do you see it? Progress, failure, difficulties please share.
|Additional resources about DNSSEC – check it out:|
|CyTRAP Labs’ glossaries explanations for geeks and other inquiring minds – click on this link – choose Login as a Guest – click on this link again and you get access to the edxtensive material offered in
||sign up to our alerts about zero-day exploits and newsletters here|
|NIST Domain Name System Security (NSSEC Project
||Internet Governance Project – search for DNSSEC material