Towards Adoption of DNSSEC: Availability and Security Challenges

DNSSEC deployment is long overdue; however, it seems to be finally taking off. Recent cache poisoning attacks motivate protecting DNS, with strong cryptography, rather than with challenge-response ‘defenses’. Our goal is to motivate and help correct DNSSEC deployment. We discuss the state of DNSSEC deployment, obstacles to adoption and potential ways to increase adoption. We then present a comprehensive overview of challenges and potential pitfalls of DNSSEC, well known and less known, including: • Vulnerable DNSSEC configurations: we present several DNSSEC configurations, which are natural and, based on the limited deployment so far, expected to be popular, yet are vulnerable to attack. This includes typical DNS inter-domain NS, MX and CNAME records, NSEC3 opt-out records. • Pitfalls of Incremental Deployment: we discuss the common practice of incremental deployment, and show that it may cause increased vulnerability to poisoning. • Super-sized Response Challenges: DNSSEC responses include cryptographic keys and hence are relatively long; we explain how this extra-long responses cause interoperability challenges, and can be abused for DoS and even DNS poisoning. We discuss potential solutions, ranging from using TCP for long responses (easy but costly and possibly even DoS-prone), to extensions to DNSSEC for secure agreement only on needed keying material.