EUIST

July 2006 – NIST and CyTRAP Labs – recommendations for better implementation of DNSSEC

Domain Name System Security Extensions (DNSSEC) intends to ensure that that Domain Name requests are digitally signed and authenticated. This works as a defence against forged DNS data, a product of various kinds of attacks. For instance, an example is such as DNS cache poisoning. The latter enables an attacker to maybe trick unsuspecting survers into visiting a bogus website that poses as the real website of a bank.

Naturally, there are some politics behind the idea as outlined here:

The Politics of DNSSEC: The Light Begins to Dawn at IETF

The problem of trust can be described in two ways:

1) How do we know that CyTRAP.eu is is managed by the owner of the CyTRAP.eu domain?

2) As well, do we know that the owner of the CyTRAP.eu domain is CyTRAP Labs?

Current standard certificates attempt to resolve the challenge posed by problem A.

Problem B is now left to what some call “extended validation” certificates. In addition, in some scenarios problem B does not exist because the domain name is the identity that one cares about.

To illustrate, if I send e-mail to user-23@Yahoo.dk I may not care about who owns the domain yahoo.dk except that I want the e-mail to reach yahoo.dk and not a bogus site.

A DNSSEC PKI also addresses only problem A. It does so more directly, however, because the ownership of the domain as well as one’s ability to sign DNS records are tightly connected.

One has to find a way to authenticate domain ownership independently whereby one usually relies on domain registration information. Unfortunately, one can subvert this authentication process.

Some risks with a DNSSEC PKI

Usually, the public signing key for a domain is established as part of the registration process. Thereafter it is managed via interaction with the registrar. In this case one can undermine the validity of signed zone data by proceeding by compromising:

1. the domain’s signing key;
2. of an ancestor zone’s signing key;
3. of the domain owner’s registrar account; and
4. of whatever mechanism registrars use to submit public keys to the TLD registries for signing.

The domain signing key can be kept off line, thereby protecting it against some compromising efforts by malicious people. Nevertheless, compromising the signing key is higher, since it may allow a successful attacker to go ahead and issue many certificates.

Point 2 has a similar impact, since if any of the private key of one of the certified authorities (CAs) is being compromised, false certificates can be issued. And while the DNSSEC approach lowers the risk becuase there are fewer keys that must be proteteced, the risk remains.

Point 3 means that since current validation is founded on domain registration data, an attacker compromising the registrar account has a scary impact.

Point 4 might be limited if the Trust Anchor Repository (TAR) approach is rolled out extensively and proofs its scalability and workability in practice.

Interesting Links

Please click on the link, choose option Guest Login – click on this link again and you get access to the extensive material offered in CyTRAP Labs’ glossaries explanations for geeks and other inquiring minds

DNS hierarchy

DNS Spain’s central domain registry – Esnic offline

DNS amplification attacks

DNSSEC – Domain Name System (DNS) Security Extensions – DNSSEC

Care to leave a comment below, how do you see it? Progress, failure, difficulties please share.

Additional resources about DNSSEC – check it out:
CyTRAP Labs’ glossaries explanations for geeks and other inquiring minds – click on this link – choose Login as a Guest – click on this link again and you get access to the edxtensive material offered in	sign up to our alerts about zero-day exploits and newsletters here
NIST Domain Name System Security (NSSEC Project	Internet Governance Project – search for DNSSEC material

Posted in dnssec, domain, implementation, infrastructure, july, nist, recommendations, services |

|