14-06-2012, 05:25 PM
DNS SECURITY PROTOCOL
Domain Name Service
Internet infrastructure protocol that provides mapping between a human memorable name and some information about that name (e.g. IP address)
Hierarchical, Decentralized, Scalable, redundant, highly available service that makes the Internet as useful as it currently is.
Very easy to spoof!
Why DNS is this Important
DNS resolution is normally the first step in most Internet communications
Web site can be replaced with a false site without ever touching the victim site
E-mail can be re-routed (SPF and DKIM also rely on the DNS)
Login compromised through man in the middle attack
Any technology that relies on DNS will be affected: Anti-spam, ENUM, SIP, etc
Why DNSSEC
Good security is multi-layered and preventive
Multiple defense barriers in physical world
Multiple ‘layers’ in the networking world
DNS infrastructure
Providing DNSSEC extensions to raise the barrier for DNS based attacks
Provides a security barrier or an enhancement for systems and applications
DNSSEC new RRs
2 Public key related RRs
SIG signature over RRset made using private key
KEY public key, needed for verifying a SIG over a RRset, signed by the parent’s private key
One RR for internal consistency (authenticated denial of data)
NXT RR to indicate which RRset is the next one in the zone
For non DNSSEC public keys: CERT
Public-key Distribution System
Global real time availability
Easy access to DNS
Scalability
Hierarchical organization
Globally unique names
Globally unique host name
Cryptographic binding of name and key
KEY RR binds DNS names with keys