NSEC5, DNSSEC authenticated denial of existence

The Domain Name System Security Extensions (DNSSEC) introduced two resource records (RR) for authenticated denial of existence: the NSEC RR and the NSEC3 RR. This document introduces NSEC5 as an alternative mechanism for DNSSEC authenticated denial of existence. NSEC5 uses verifiable random functions (VRFs) to prevent offline enumeration of zone contents. NSEC5 also protects the integrity of the zone contents even if an adversary compromises one of the authoritative servers for the zone. Integrity is preserved because NSEC5 does not require private zone-signing keys to be present on all authoritative servers for the zone, in contrast to DNSSEC online signing schemes like NSEC3 White Lies.https://datatracker.ietf.org/doc/draft-vcelak-nsec5/First author draf

A Formal Specification of the DNSSEC Model

The Domain Name System Security Extensions (DNSSEC) is a suite of specifications that provide origin authentication and integrity assurance services for DNS data. In particular, DNSSEC was designed to protect resolvers from forged DNS data, such as the one generated by DNS cache poisoning. This article presents a minimalistic specification of a DNSSEC model which provides the grounds needed to formally state and verify security properties concerning the chain of trust of the DNSSEC tree. The model, which has been formalized and verified using the Coq proof assistant, specifies an abstract formulation of the behavior of the protocol and the corresponding security-related events, where security goals, such as the prevention of cache poisoning attacks, can be given a formal treatment

Hijacking DNS Subdomains via Subzone Registration: A Case for Signed Zones

We investigate how the widespread absence of signatures in DNS (Domain Name System) delegations, in combination with a common misunderstanding with regards to the DNS specification, has led to insecure deployments of authoritative DNS servers which allow for hijacking of subdomains without the domain owner's consent. This, in turn, enables the attacker to perform effective man-in-the-middle attacks on the victim's online services, including TLS (Transport Layer Security) secured connections, without having to touch the victim's DNS zone or leaving a trace on the machine providing the compromised service, such as the web or mail server. Following the practice of responsible disclosure, we present examples of such insecure deployments and suggest remedies for the problem. Most prominently, DNSSEC (Domain Name System Security Extensions) can be used to turn the problem from an integrity breach into a denial-of-service issue, while more thorough user management resolves the issue completely

UMA ANÁLISE DO PROTOCOLO DNS E SUAS EXTENSÕES

O estudo do protocolo DNS (Domain Name System) faz se necessário devido a sua grande importância para a estabilidade e confiança da internet que hoje conhecemos. O protocolo DNS nativo traz algumas vulnerabilidades intrínsecas em seu protocolo, tais como envenenamento de cache e impersonificação de servidores DNS. Hoje, temos uma extensão segura do protocolo DNS, denominado DNSSEC (Domain Name System Security Extensions), capaz de prover autenticidade nas requisições de DNS, garantindo assim a integridade dos pacotes DNS. Além desta extensão segura, existe outra denominada DNSCurve bem mais robusta porém consome mais recursos, devido todos os pacotes DNS utilizarem criptografia, desde sua origem até o destino

On the Adoption of the Elliptic Curve Digital Signature Algorithm (ECDSA) in DNSSEC

The Domain Name System Security Extensions (DNSSEC) are steadily being deployed across the Internet. DNSSEC extends the DNS protocol with two vital security properties, authenticity and integrity, using digital signatures. While DNSSEC is meant to solve security issues in the DNS, it also introduces a new one: the digital signatures significantly increase DNS packet sizes, making DNSSEC an attractive vector to abuse in amplification denial-of-service attacks. By default, DNSSEC uses RSA for digital signatures. Earlier work has shown that alternative signature schemes, based on elliptic curve cryptography, can significantly reduce the impact of signatures on DNS response sizes. In this paper we study the actual adoption of ECDSA by DNSSEC operators, based on longitudinal datasets covering over 50% of the global DNS namespace over a period of 1.5 years. Adoption is still marginal, with just 2.3% of DNSSEC-signed domains in the .com TLD using ECDSA. Nevertheless, use of ECDSA is growing, with at least one large operator leading the pack. And adoption could be up to 42% higher. As we demonstrate, there are barriers to deployment that hamper adoption. Operators wishing to deploy DNSSEC using current recommendations (with ECDSA as signing algorithm) must be mindful of this when planning their deployment

An overview of HTTPS and DNSSEC services adoption in higher education institutions in Brazil

Cyberattacks are performed against all organizations including Higher Education Institutions (HEIs). When these attacks are successful, they can affect the regular operation of these institutions and may cause the leak of essential or sensitive data that can be misused or become inaccessible. Therefore, the adoption of current security services is important for devices and services exposed to the Internet that should run the latest and secure versions of web-related protocols and comply with the latest security-related guidelines and recommendations. This article surveys and analyzes the status of web-related security services, namely the Hyper Text Transfer Protocol Secure (HTTPS) and the Domain Name System Security Extensions (DNSSEC) services, in Brazilian HEIs. The results of this survey show that regarding HTTPS around 15% do not use any SSL / TLS certificate and of those supporting it, about 14% do not demand its usage. Regarding DNSSEC, the analysis shows that only around 2% of the HEIs are implementing this protocol. These results show that it is important to design an effective and continuous action plan for HEIs regarding the support or discontinuity of versions of these protocols, in order to improve their protection against cyberattacks.A41D-7428-BA6C | Jackson Barreto Costa Júniorinfo:eu-repo/semantics/publishedVersio

Making the Case for Elliptic Curves in DNSSEC

ABSTRACT The Domain Name System Security Extensions (DNSSEC) add authenticity and integrity to the DNS, improving its security. Unfortunately, DNSSEC is not without problems. DNSSEC adds digital signatures to the DNS, significantly increasing the size of DNS responses. This means DNS-SEC is more susceptible to packet fragmentation and makes DNSSEC an attractive vector to abuse in amplificationbased denial-of-service attacks. Additionally, key management policies are often complex. This makes DNSSEC fragile and leads to operational failures. In this paper, we argue that the choice for RSA as default cryptosystem in DNS-SEC is a major factor in these three problems. Alternative cryptosystems, based on elliptic curve cryptography (EC-DSA and EdDSA), exist but are rarely used in DNSSEC. We show that these are highly attractive for use in DNS-SEC, although they also have disadvantages. To address these, we have initiated research that aims to investigate the viability of deploying ECC at a large scale in DNSSEC

A Security Evaluation of DNSSEC with NSEC3

Domain Name System Security Extensions (DNSSEC) and Hashed Authenticated Denial of Existence (NSEC3) are slated for adoption by important parts of the DNS hierarchy, including the root zone, as a solution to vulnerabilities such as ”cache-poisoning” attacks. We study the security goals and operation of DNSSEC/NSEC3 using Murphi, a finite-state enumeration tool, to analyze security properties that may be relevant to various deployment scenarios. Our systematic study reveals several subtleties and potential pitfalls that can be avoided by proper configuration choices, including resource records that may remain valid after the expiration of relevant signatures and potential insertion of forged names into a DNSSEC-enabled domain via the opt-out option. We demonstrate the exploitability of DNSSEC opt-out options in an enterprise setting by constructing a browser cookie-stealing attack on a laboratory domain. Under recommended configuration settings, further Murphi model checking finds no vulnerabilities within our threat model, suggesting that DNSSEC with NSEC3 provides significant security benefits