The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.05 - September/October (2009 vol.7)
pp: 36-43
ABSTRACT
DNS Security Extensions (DNSSEC) is a proposed standard for securely authenticating information in the Domain Name System. DNSSEC validators check the digital signatures on DNS data. However, designing a validator worth the operational costs is a challenge. The authors examine several design options and discuss DNSSEC deployment's added cost to performance, using the Unbound caching validating resolver as an example.
INDEX TERMS
Domain Name System, DNS, DNSSEC, security, chain of trust, DNSSEC validator, caching resolver
CITATION
Wouter C.A. Wijngaards, "Securing DNS: Extending DNS Servers with a DNSSEC Validator", IEEE Security & Privacy, vol.7, no. 5, pp. 36-43, September/October 2009, doi:10.1109/MSP.2009.133
REFERENCES
1. D. Atkins and R. Austein, Threat Analysis of the Domain Name System (DNS), IETF RFC 3833, Aug. 2004; www.rfc-editor.org/rfc/rfc3833.txt.
2. M. Santcroos and O. Kolkman, DNS Threat Analysis, tech. report 2006-SE-01, NLnet Labs, May 2007.
3. A. Klein, "BIND 9 DNS Cache Poisoning," June 2007; www.trusteer.com/bind9dns.
4. D. Kaminsky, "Black Ops 2008: It's the End of the Cache As We Know It," keynote address, Black Hat USA 2008, Aug. 2008; www.doxpara.com/DMK_BO2K8.ppt.
5. A. Friedlander et al., "DNSSEC: A Protocol toward Securing the Internet Infrastructure," Comm. ACM, vol. 50, no. 6, 2007, pp. 44–50.
6. R. Aitchison, Pro DNS and BIND, Apress, 2005.
7. J. Jung et al., "DNS Performance and the Effectiveness of Caching," Proc. 1st ACM SIGCOMM Internet Measurement Workshop, ACM Press, 2001, pp. 153–167.
8. O. Kolkman, Measuring the Resource Requirements of DNSSEC, tech. report RIPE-352, RIPE NCC/NLnet Labs, Sept. 2005.
9. B. Ager, H. Dreger, and A. Feldmann, "Predicting the DNSSEC Overhead Using DNS Traces," Proc. 40th Ann. Conf. Information Sciences and Systems (CISS 06), IEEE Press, 2006, pp. 1484–1489.
10. E. Osterweil et al., "Quantifying the Operational Status of the DNSSEC Deployment," Proc. 8th ACM SIGCOMM Conf. Internet Measurement (IMC 08), ACM Press, 2008, pp. 231–241.
11. M. Larson and D. Blacka, "Port and Message ID Analysis of Resolvers Querying .com/.net Name Servers," Proc. Operations, Analysis, and Research Center Workshop (OARC 08), DNS-OARC, 2008; www.dns-oarc.net/oarc/workshop-2008/agenda.
7 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool