Securing the Domain Name System

ثبت نشده
چکیده

44 COPUBLISHED BY THE IEEE COMPUTER AND RELIABILITY SOCIETIES ■ 1540-7993/09/$26.00 © 2009 IEEE ■ SEPTEMBER/OCTOBER 2009 T he Domain Name System (DNS) 1 is the Internet’s de facto name resolution system. In fact, almost every transaction performed on the Internet is prefaced by a DNS lookup—for example, when a user types “www.bankofamerica.com” into his or her Web browser, it issues a DNS request to get Bank of America’s IP addresses. However, in today’s Internet, attackers can spoof DNS messages. The DNS Security Extensions (DNSSEC) RFCs specify how DNS domains (logical namespaces such as bankofamerica.com) can use cryptographic keys to digitally sign their content and gain the protection of origin authenticity, data integrity, and secure denial of existence. DNSSEC specifies that each reply from authoritative DNS servers will have cryptographic signatures attached to it. DNS resolvers (clients) can obtain cryptographic keys for each domain and then formally verify that the key generated the signatures, the correct DNS server originated the data the signatures cover, and the data wasn’t modified on the way to the resolver. However, resolvers must ensure that the keys they have for a domain are authentic and not spoofed. Although DNSSEC’s deployment has grown, the mechanisms by which resolvers can obtain and verify domains’ cryptographic keys haven’t evolved as needed. Specifically, it was envisioned that resolvers would begin with a trusted key for the DNS root domain (“.”) and recursively trace a secure delegation chain (chain of trust) from parent domains to their children until the resolvers reached the domain containing the queried name. For example, a resolver might want to get the A records (which contain IPv4 addresses) for the domain www. foo.com. This would require it to ask the root domain “.” to refer it to the com domain, and then the com domain would refer it to the foo.com domain. At that point, the foo. com domain would be able to respond to the www. foo.com query. One essential problem facing DNSSEC deployment today is that neither the root nor many of the top-level domains (TLDs, such as com) have deployed DNSSEC. Consequently, DNS resolvers don’t have an automated way to verify whether the keys they have for foo.com are valid or spoofed by an adversary (unless the keys are configured into the resolvers as trust anchors via some unspecified, out-ofband process). In this article, we examine the space of various cryptographic key management issues involved in DNSSEC deployment and the approaches resolvers might use to identify the proper keys (trust anchors) for the DNS domains they visit. Further examination into these mechanisms leads to many more subtle issues that arise from how we currently manage the DNS.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Securing Cluster-heads in Wireless Sensor Networks by a Hybrid Intrusion Detection System Based on Data Mining

Cluster-based Wireless Sensor Network (CWSN) is a kind of WSNs that because of avoiding long distance communications, preserve the energy of nodes and so is attractive for related applications. The criticality of most applications of WSNs and also their unattended nature, makes sensor nodes often susceptible to many types of attacks. Based on this fact, it is clear that cluster heads (CHs) are ...

متن کامل

Trustworthy TCB for DNS Servers

A simple atomic relay function is proposed as a minimal trusted computing base (TCB) for a domain name system (DNS) server. This TCB, composed of a fixed sequence of logical and cryptographic hash operations, can be amplified to ensure that a DNS server cannot violate rules. The paper also outlines elements of a TCB-DNS protocol that amplifies the simple TCB to secure the domain name system. Th...

متن کامل

A Comparative Study of Steganography Algorithms of Spatial and Transform Domain

Transmitting data from sender to authorized receiver through a public media (insecure media) with full security is a challenging task. From the ancient time, different methods and techniques have been adopted to gain secure transmission of information. With the development of new technologies, the techniques used for securing information have also changed. The three main technology used for sec...

متن کامل

SECURING INTERPRETABILITY OF FUZZY MODELS FOR MODELING NONLINEAR MIMO SYSTEMS USING A HYBRID OF EVOLUTIONARY ALGORITHMS

In this study, a Multi-Objective Genetic Algorithm (MOGA) is utilized to extract interpretable and compact fuzzy rule bases for modeling nonlinear Multi-input Multi-output (MIMO) systems. In the process of non- linear system identi cation, structure selection, parameter estimation, model performance and model validation are important objectives. Furthermore, se- curing low-level and high-level ...

متن کامل

Log File Compression and its Security in Web Server

The log file of any association may include sensitive data which must be protected properly for suitable working of that organization. Maintaining security of such log records is one of the important tasks. Also, over a long period of time maintaining authenticity of such log data is very important. However, deploying such a system for security of log records is a big task for any company and a...

متن کامل

New Protocol E-DNSSEC to Enhance DNSSEC Security

The Domain Name System (DNS) is an essential component of the internet infrastructure. Due to its importance, securing DNS becomes a necessity for current and future networks. DNSSEC, the extended version of DNS has been developed in order to provide security services. Unfortunately, DNSSEC doesn’t offer query privacy; we can see all queries sent to resolver in clear. In this paper, we evaluate...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2009