NSEC5, DNSSEC authenticated denial of existence

The Domain Name System Security Extensions (DNSSEC) introduced two resource records (RR) for authenticated denial of existence: the NSEC RR and the NSEC3 RR. This document introduces NSEC5 as an alternative mechanism for DNSSEC authenticated denial of existence. NSEC5 uses verifiable random functions (VRFs) to prevent offline enumeration of zone contents. NSEC5 also protects the integrity of the zone contents even if an adversary compromises one of the authoritative servers for the zone. Integrity is preserved because NSEC5 does not require private zone-signing keys to be present on all authoritative servers for the zone, in contrast to DNSSEC online signing schemes like NSEC3 White Lies.https://datatracker.ietf.org/doc/draft-vcelak-nsec5/First author draf

Analysis resolvers in Domain Name System

ほぼすべてのインターネットサービスの基盤を支え、大規模な分散データベースであるDNS が適切に運用されることは、インターネットの安定性および信頼性を確保するうえで必要不可欠である。それは各ゾーンが正しく運用されることを意味する。しかしDNS はその重要性とは裏腹に、稼働している実際の状況がよく把握されていない。その原因はDNS が主にUDP を使うためであり、TCP と比較すると状態の遷移が把握出来ないことが原因である。つまりDNS では問い合わせメッセージを送信した後は回答が返って来るまで待っているだけである。DNSの動作を分析するため本研究ではリゾルバの動作に着目し、回答が戻って来ない場合あるいは待つ場合を考察した。それを分析して、調査結果を基にDNS 稼働の正常さ表示する指標を検討する。これをDNS の安定性および信頼性の向上に役立てることを目標とする。修士論

Hijacking DNS Subdomains via Subzone Registration: A Case for Signed Zones

We investigate how the widespread absence of signatures in DNS (Domain Name System) delegations, in combination with a common misunderstanding with regards to the DNS specification, has led to insecure deployments of authoritative DNS servers which allow for hijacking of subdomains without the domain owner's consent. This, in turn, enables the attacker to perform effective man-in-the-middle attacks on the victim's online services, including TLS (Transport Layer Security) secured connections, without having to touch the victim's DNS zone or leaving a trace on the machine providing the compromised service, such as the web or mail server. Following the practice of responsible disclosure, we present examples of such insecure deployments and suggest remedies for the problem. Most prominently, DNSSEC (Domain Name System Security Extensions) can be used to turn the problem from an integrity breach into a denial-of-service issue, while more thorough user management resolves the issue completely

IVOA Recommendation: IVOA Identifiers Version 1.12

An IVOA Identifier is a globally unique name for a resource. This name can be used to retrieve a unique description of the resource from an IVOA-compliant registry. This document describes the syntax for IVOA identifiers as well as how they are created. An IVOA identifier has two separable components that can appear in two equivalent formats: an XML-tagged form and a URI-compliant form. The syntax has been defined to encourage global-uniqueness naturally and to maximize the freedom of resource providers to control the character content of an identifier