Security vulnerabilities in DNS and DNSSEC

We present an analysis of security vulnerabilities in the domain name system (DNS) and the DNS security extensions (DNSSEC). DNS data that is provided by name servers lacks support for data origin authentication and data integrity. This makes DNS vulnerable to man in the middle (MITM) attacks, as well as a range of other attacks. To make DNS more robust, DNSSEC was proposed by the Internet Engineering Task Force (IETF). DNSSEC provides data origin authentication and integrity by using digital signatures. Although DNSSEC provides security for DNS data, it suffers from serious security and operational flaws. We discuss the DNS and DNSSEC architectures, and consider the associated security vulnerabilities

[1]  Donald E. Eastlake,et al.  RSA/MD5 KEYs and SIGs in the Domain Name System (DNS) , 1999, RFC.

[2]  Paul V. Mockapetris,et al.  Domain names - concepts and facilities , 1987, RFC.

[3]  Donald E. Eastlake,et al.  DSA KEYs and SIGs in the Domain Name System (DNS) , 1999, RFC.

[4]  Donald E. Eastlake Secure Domain Name System Dynamic Update , 1997, RFC.

[5]  Paul V. Mockapetris,et al.  Development of the domain name system , 1988, SIGCOMM '88.

[6]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[7]  Evi Nemeth,et al.  DNS measurements at a root server , 2001, GLOBECOM'01. IEEE Global Telecommunications Conference (Cat. No.01CH37270).

[8]  Donald E. Eastlake DNS Security Operational Considerations , 1999, RFC.

[9]  Johan Ihren,et al.  Minimally Covering NSEC Records and DNSSEC On-line Signing , 2006, RFC.

[10]  Derek Atkins,et al.  Threat Analysis of the Domain Name System (DNS) , 2004, RFC.

[11]  Craig Partridge,et al.  HEMS variable definitions , 1987, RFC.

[12]  Jon Postel TCP and IP bake off , 1987, RFC.

[13]  Steven M. Bellovin,et al.  Security Mechanisms for the Internet , 2003, RFC.

[14]  Paul Vixie,et al.  Extension Mechanisms for DNS (EDNS0) , 1999, RFC.

[15]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[16]  Yakov Rekhter,et al.  Dynamic Updates in the Domain Name System (DNS UPDATE) , 1997, RFC.

[17]  Duane Wessels,et al.  Wow, That's a lot of packets , 2003 .

[18]  Paul Albitz,et al.  DNS and BIND , 1994 .