DNSSEC: Interoperability Challenges and Transition Mechanisms

Abstract

Recent cache poisoning attacks motivate protecting DNS with strong cryptography, by adopting DNSSEC, rather than with challenge-response 'defenses'. We discuss the state of DNSSEC deployment and obstacles to adoption. We then present an overview of challenges and potential pitfalls of DNSSEC, including: Incremental Deployment: we review deployment status of DNSSEC, and discuss potential for increased vulnerability due to popular practices of incremental deployment, and provide recommendations. Long DNSSEC Responses; Long DNS responses are vulnerable to attacks, we review cache poisoning attack on fragmented DNS responses, and discuss mitigations; Trust Model of DNS: we review the trust model of DNS and show that it may not be aligned with the security model of DNSSEC. We discuss using trust anchor repositories (TARs) to mitigate the trust problem. TARs were proposed to allow transition to DNSSEC and to provide security for early adopters.