Cited By
View all- Li WMeng WKwok L(2018)Investigating the Influence of Special On–Off Attacks on Challenge-Based Collaborative Intrusion Detection NetworksFuture Internet10.3390/fi1001000610:1(6)Online publication date: 8-Jan-2018
Alternative Trust Sources: Reducing DNSSEC Signature Verification Operations with TLS
Pages 353 - 354
Abstract
DNSSEC has been in development for 20 years. It provides for provable security when retrieving domain names through the use of a public key infrastructure (PKI). Unfortunately, there is also significant overhead involved with DNSSEC: verifying certificate chains of signed DNS messages involves extra computation, queries to remote resolvers, additional transfers, and introduces added latency into the DNS query path. We pose the question: is it possible to achieve practical security without always verifying this certificate chain if we use a different, outside source of trust between resolvers? We believe we can. Namely, by using a long-lived, mutually authenticated TLS connection between pairs of DNS resolvers, we suggest that we can maintain near-equivalent levels of security with very little extra overhead compared to a non-DNSSEC enabled resolver. By using a reputation system or probabilistically verifying a portion of DNSSEC responses would allow for near-equivalent levels of security to be reached, even in the face of compromised resolvers.
References
[1]
R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. RFC 4033 (Proposed Standard), Mar. 2005. Updated by RFCs 6014, 6840.
[2]
G. Huston. Measuring dnssec performance. https://labs.apnic.net/?p=341, 2013. Accessed 2015-04--21.
[3]
NLnet Labs. A short history of dnssec. http://www.nlnetlabs.nl/projects/dnssec/history.html, 2013. Accessed 2015-04--28.
[4]
T. Reddy, D. Wing, and P. Patil. Dns over dtls (dnsod) internet draft. https://tools.ietf.org/html/draft-ietf-dprive-dnsodtls-01, 2015. Accessed 2015-06--23.
[5]
L. Zhu, Z. Hu, J. Heidemann, D. Wessels, A. Mankin, and N. Somaiya. Connection-oriented dns to improve privacy and security. 2015.
Index Terms
- Alternative Trust Sources: Reducing DNSSEC Signature Verification Operations with TLS
Recommendations
Understanding the role of registrars in DNSSEC deployment
IMC '17: Proceedings of the 2017 Internet Measurement ConferenceThe Domain Name System (DNS) provides a scalable, flexible name resolution service. Unfortunately, its unauthenticated architecture has become the basis for many security attacks. To address this, DNS Security Extensions (DNSSEC) were introduced in ...
Alternative Trust Sources: Reducing DNSSEC Signature Verification Operations with TLS
SIGCOMM'15DNSSEC has been in development for 20 years. It provides for provable security when retrieving domain names through the use of a public key infrastructure (PKI). Unfortunately, there is also significant overhead involved with DNSSEC: verifying ...
DNSSEC in Practice: Using DNSSEC-Tools to Deploy DNSSEC
CATCH '09: Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland SecurityThe Domain Name System (DNS) is one of the core infrastructure components of the Internet. DNS data is also trivial to spoof. The security extensions to DNS (DNSSEC) provide a mechanism for users to verify the origin authenticity and integrity of DNS ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
August 2015
684 pages
ISBN:9781450335423
DOI:10.1145/2785956
- General Chairs:
- Steve Uhlig,
- Olaf Maennel,
- Program Chairs:
- Brad Karp,
- Jitendra Padhye
Copyright © 2015 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 17 August 2015
Check for updates
Author Tags
Qualifiers
- Poster
Funding Sources
Conference
SIGCOMM '15
Sponsor:
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 322Total Downloads
- Downloads (Last 12 months)53
- Downloads (Last 6 weeks)5
Reflects downloads up to 13 Dec 2024
Other Metrics
Citations
Cited By
View all- Li WMeng WKwok L(2018)Investigating the Influence of Special On–Off Attacks on Challenge-Based Collaborative Intrusion Detection NetworksFuture Internet10.3390/fi1001000610:1(6)Online publication date: 8-Jan-2018
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in