Before Recitation
Read:
- "Towards Forensic Analysis of
Attacks with DNSSEC" by Shulman and Waidner. This paper discusses a few different types of attacks on DNS as well as DNSSEC, a proposed extension to DNS to mitigate some of the security concerns. DNSSEC is not yet wideaspread.
This paper uses the term man-in-the-middle (MITM) attack. These days, we typically use the term on-path attacker (or sometimes person-in-the-middle attack).
- This blogpost by Heidi Howard. This post explains how DNSSEC works, and in particular, explains why a more straightforward use of public-key cryptography is not sufficient to provide the type of security DNSSEC needs. As you read, think about
- Why is DNS vulnerable to on-path attackers and cache poisoning? There are technical reasons why, but are there other reasons why DNS wasn't designed to be more secure agains these attacks?
- What are the consequences for users (such as yourself) of the vulnerabilities of DNS?
- Why must DNSSEC be backwards-compatible with DNS?
- Who should be in charge of the root key? You can read about the root key process—one of Katrina's favorite things—here, and even watch a key-signing ceremony on the day of this recitation!
Question for Recitation:
Before you come to this recitation, you'll submit a brief response to the following questions on Canvas (really—we don't need more than a sentence or so for each question). Your answers to these questions should be in your own words, not direct quotations from the paper.
- The paper by Shulman and Waidner explains that DNS is vulnerable to cache poisoning attacks. What does it mean to poison a cache in the context of DNS?
- Why are cache poisoning attacks a problem? I.e., what sorts of bad things can an attacker do if they poison a cache.
- How does DNSSEC prevent those attacks?
During Recitation
We expect you to be engaged and participate in recitation, and there are many ways to do that! Check out our participation FAQ for more information.
After Recitation
Outline for this recitation. - This blogpost by Heidi Howard. This post explains how DNSSEC works, and in particular, explains why a more straightforward use of public-key cryptography is not sufficient to provide the type of security DNSSEC needs. As you read, think about