TERENA Networking Conference 2000    

DNS Security

Marius Marian, Antonio Lioy, Fabio Maino and Daniele Mazzocchi, Politecnico di Torino, Italy

Nowadays, the Domain Name System is used extensively by almost all the applications and protocols that are involved in network communication (e.g., web browsing, ftp, telnet or other TCP/IP utilities on Internet).

It is known the fact that DNS is weak in several places. Using the Domain Name System, we face the problem of trusting the information that came from a non authenticated authority, and the problem of accepting additional information that was not requested and that may be incorrect.

Therefore it was predictable that at some point someone would observe the weaknesses of DNS and would take advantage of them. At present, DNS spoofing and DNS cache poisoning are still happening and are getting quite annoying for the system administrators responsible for the domains being spoofed.

In this paper, we will present the features that will secure the Domain Name System and why these security extensions are necessary. These security extensions are globally referred as DNSSEC and are defined by the set of documents that include Request For Comments 2535 through 2537. A special consideration is given to the Transaction Signature resource record regarded as a complementary security enhancement of DNS.

Furthermore, another relevant aspect of the DNSSEC is its capability of storing and implicitly distributing such public keys, hence acting as a public key infrastructure (PKI). The implementation and use on a large scale of DNSSEC would give the first active world wide PKI.

Full Paper (PDF - 85KB) - Slides (123KB)



Return to SessionReturn to Index