Server Certificates based on DNSSEC
نویسندگان
چکیده
Globally unique domain names and IP addresses that are provided in real time by the DNS (Domain Name System) represent the fundamental signposts for navigating the Internet and for locating remote hosts. It is therefore paradoxical that the traditional method for secure identification of remote hosts is not directly based on DNS, but on the browser PKI which is external to the trust structure of the DNS and thereby introduces new and complex trust problems. This paper argues that certificates for global host names must be issued through DNSSEC. According to this principle, certificates for domain names are issued by DNS registrars or DNS server organisations. This greatly simplifies the trust models for online authentication and significantly improve Internet security.
منابع مشابه
Security for Future Internet Architecture - Motivation from DNSSEC
DNS has a long history of being the primary target of malicious network attacks. These attacks take advantage of the weakness that the domain name mapping information is not authenticated. This motivates the need of security global infrastructure for future internet architecture. DNSSEC is a secure extension of DNS, and is considered as one of the most important mechanisms for critical informat...
متن کاملMeasuring the Deployment Hiccups of DNSSEC
On May 5, 2010 the last step of the DNSSEC deployment on the 13 root servers was completed. DNSSEC is a set of security extensions on the traditional DNS protocol, that aim in preventing attacks based on the authenticity and integrity of the messages. Although the transition was completed without major faults, it is not clear whether problems of smaller scale occurred. In this paper we try to q...
متن کاملINTERNET - DRAFT Samuel Weiler
As the DNS Security (DNSSEC) specifications have evolved, the syntax and semantics of the DNSSEC resource records (RRs) have changed. Many deployed nameservers understand variants of these semantics. Dangerous interactions can occur when a resolver that understands an earlier version of these semantics queries an authoritative server that understands the new delegation signer semantics, includi...
متن کاملFragmentation Considered Poisonous
We present practical poisoning and name-server blocking attacks on standard DNS resolvers, by off-path, spoofing adversaries. Our attacks exploit large DNS responses that cause IP fragmentation; such long responses are increasingly common, mainly due to the use of DNSSEC. In common scenarios, where DNSSEC is partially or incorrectly deployed, our poisoning attacks allow ‘complete’ domain hijack...
متن کاملRFC 3755 Legacy
As the DNS Security (DNSSEC) specifications have evolved, the syntax and semantics of the DNSSEC resource records (RRs) have changed. Many deployed nameservers understand variants of these semantics. Dangerous interactions can occur when a resolver that understands an earlier version of these semantics queries an authoritative server that understands the new delegation signer semantics, includi...
متن کامل