DNSsec in Isabelle – replay attack and origin authentication

In this paper, we present a formal model and analysis for the security extensions of the Domain Name System (DNSsec) in the interactive theorem prover Isabelle/HOL. Based on the inductive approach of security protocol analysis by Paulson in Isabelle/HOL, we show how the protocol can be modelled and important properties are proved. We prove that origin authentication works securely. In order to illustrate that the model is adequate, we show gthat previous domain name requests can be replayed -- as in the classical DNS -- by an attacker. These replays luckily can be uniquely identified in DNSsec due to the origin authentication mechanism that we establish to enhance security