Abstract
Domain Name System Security Extensions (DNSSEC) architecture is based on public-key cryptography. A secure DNS zone has one or more keys to sign its resource records in order to provide two security services: data integrity and authentication. These services allow to protect DNS transactions and permit the detection of attacks on DNS.
The DNSSEC validation process is based on the establishment of a chain of trust between secure zones. To build this chain, a resolver needs a secure entry point: a key of a DNS zone configured in the resolver as trusted. Then, the resolver must find a path from one of its secure entry point toward the DNS name to be validated. But, due to the incremental deployment of DNSSEC, some zones will remain unsecure in the DNS tree. Consequently, numerous trusted keys should be configured in resolvers to be able to build the appropriate chains of trust.
In this paper, we present a model that reduces the number of trusted keys in resolvers and ensures larger secure access to the domain name space. This model has been implemented in BIND.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Mockapetris, P.: Domain Names - Concept and Facilities. RFC 1034 (1987)
Mockapetris, P.: Domain Names - Implementation and Specification. RFC 1035 (1987)
Albitz, P., Liu, C.: DNS and BIND, 4th edn. O’Reilly & Associates, Inc, Sebastopol (2002)
Bellovin, S.M.: Using the Domain Name System for System Break-Ins. In: Proceedings of the fifth Usenix UNIX Security Symposium, Salt Lake City, UT, pp. 199–208 (1995)
Schuba, C.L.: Addressing Weaknesses in the Domain Name System. Master’s Thesis, Purdue University, Department of Computer Sciences (1993)
Atkins, D., Austein, R.: Threat Analysis Of The Domain Name System. RFC 3833 (2004)
Eastlake, D.: Domain Name System Security Extensions. RFC 2535 (1999)
Arends, R., Larson, M., Massey, D., Rose, S.: DNS Security Introduction and Requirements. Draft IETF, work in progress (2004)
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Protocol Modifications for the DNS Security Extensions. Draft IETF, work in progress (2004)
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Resource Records for the DNS Security Extensions. Draft IETF, work in progress (2004)
Gieben, R.: Chain of Trust. Master’s Thesis, NLnet Labs (2001)
Kolkman, O., Schlyter, J., Lewis, E.: Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (Flag. In: RFC 3757 (2004)
Gundmundsson, O.: Delegation Signer Resource Record. RFC 3658 (2003)
Guette, G., Courtay, O.: KRO: A Key RollOver Algorithm for DNSSEC. In: International Conference on Information and Communication, ICICT 2003 (2003)
IDsA: Infrastructure DNSSEC et ses Applications (2004), http://www.idsa.prd.fr
ISC: Berkeley Internet Naming Daemon (2004), http://www.isc.org
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Guette, G., Cousin, B., Fort, D. (2005). GDS Resource Record: Generalization ofthe Delegation Signer Model. In: Lorenz, P., Dini, P. (eds) Networking - ICN 2005. ICN 2005. Lecture Notes in Computer Science, vol 3421. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31957-3_95
Download citation
DOI: https://doi.org/10.1007/978-3-540-31957-3_95
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-25338-9
Online ISBN: 978-3-540-31957-3
eBook Packages: Computer ScienceComputer Science (R0)