This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Interadministrative Challenges in Managing DNSKEYs
September/October 2009 (vol. 7 no. 5)
pp. 44-51
Eric Osterweil, University of California, Los Angeles
Lixia Zhang, University of California, Los Angeles
The Domain Name System (DNS) has been a critical component of the Internet since the 1980s. Incidents from the wild, such as recent cache poisoning exploits, emphasize that it's vulnerable to attacks. DNS Security Extensions (DNSSEC) define a way to use cryptography for end-to-end protection of DNS data. Although the visible deployment of DNSSEC has grown at a tremendous rate, evidence suggests that the management of cryptographic keys is deceptively complex and has led to visible misconfigurations. Here, the authors outline the problem of managing DNSKEYs as it stands today, and where there exist competing proposed solutions, present a survey comparison.

1. P. Mockapetris and K.J. Dunlap, "Development of the Domain Name System," Proc. SIGCOMM Conf. (SIGCOMM 88), ACM Press, 1988, pp. 123–133.
2. CERT, Cert vulnerability note vu#800113, 2008; www.kb.cert.org/vuls/id/800113.
3. R. Arends et al., DNS Security Introduction and Requirement, IETF RFC 4033, Mar. 2005; www.ietf.org/rfc/rfc4033.txt.
4. R. Arends et al., Resource Records for the DNS Security Extensions, IETF RFC 4034, Mar. 2005; www.ietf.org/rfc/rfc4034.txt.
5. R. Arends et al., Protocol Modifications for the DNS Security Extensions, IETF RFC 4035, Mar. 2005; www.ietf.org/rfc/rfc4035.txt.
6. S.M. Bellovin, "Using the Domain Name System for System Break-ins," Proc. 5th Usenix Unix Security Symp., Usenix Assoc., 1995, pp. 199–208.
7. D. Atkins and D. Austein, Threat Analysis of the Domain Name System (DNS), IETF RFC 3833, Aug. 2004; www.ietf.org/rfc/rfc3833.txt.
8. O. Kolkman and R. Gieben, DNSSEC Operational Practices, IETF RFC 4641, Sept. 2006; www.ietf.org/rfc/rfc4641.txt.
9. E. Osterweil et al., "Quantifying the Operational Status of the DNSSEC Deployment," Proc. 8th ACM SIGCOMM Conf. Internet Measurement (IMC 08), ACM Press, 2008, pp. 231–242.
10. S. Weiler, DNSSEC Lookaside Validation (DLV), IETF RFC 5074, Sparta, Nov. 2007; www.ietf.org/rfc/rfc5074.txt.

Index Terms:
network-level security and protection, communication/networking and information technology, computer systems organization, network management, network operations, public key cryptosystems, data encryption
Citation:
Eric Osterweil, Lixia Zhang, "Interadministrative Challenges in Managing DNSKEYs," IEEE Security & Privacy, vol. 7, no. 5, pp. 44-51, Sept.-Oct. 2009, doi:10.1109/MSP.2009.126
Usage of this product signifies your acceptance of the Terms of Use.