6.033 | Preparation for Recitation on DNSSEC

Preparation for Recitation on DNSSEC

Read "Security Vulnerabilities in DNS and DNSSEC" by Ariyapperuma and Mitchell. This paper is about DNSSEC. DNS, as is, is an insecure system; DNSSEC is a proposed extension to DNS to mitigate some of the security concerns. It is not yet widespread.

Section 2 gives an overview of DNS. Read it if you need a refresher on the protocol, but if not, you can skip it.
Section 3 details some of the vulnerabilities to which DNS is open.
Section 4 describes DNSSEC, which addresses some of the vulnerabilities in Section 3. DNSSEC has its own problems, however, which are detailed in Section 5.

As you read, think about

From a security standpoint, what does DNSSEC provide (e.g., confidentially, authentication, etc.)? How does it provide that?
What are the consequences for users (such as yourself) of the vulnerabilities of DNS?
Why must DNSSEC be backwards-compatible with DNS?
What do the chains of trust do? Why are they necessary? This site has a decent explanation of why DNSSEC doesn't use a more straightforward application of public-key cryptography.

Reflection Questions

Below are three questions for you to reflect on as you read the paper. You will post your reflection, or respond to another student's reflection, on your Teaching Team Piazzas. You do not need to email responses to these questions to your TA. As a reminder:

Each DP team should have one team member post a reflection, and the others respond to someone else’s reflection (you don't have to respond to your DP teammate's reflection). Rotate which member posts each week.
You only need to post a reflection (or a respond to a reflection) about one of the questions below. If you see all of your fellow students reflecting on the same question, try to pick a different one.

Now, for the questions themselves. There are many possibile answers for each. We're expecting you to thoughtfully consider these questions, not come up with the single "best" answer. Your answers to these questions should be in your own words, not direct quotations from the paper.

DNSSEC has not been fully deployed. What do you think is preventing that?
Who should be in charge of the root key? (You can read about the root key process here; it's one of Katrina's absolute favorite things.)
Suppose we were still on campus, and wanted to have you act out DNSSEC in recitation. How would you design that activity? How would you illustrate the ways in which DNSSEC differs from DNS? (We got great responses to this question last week with Raft. Typically we have students act out both Raft and DNSSEC.)