Read "Security Vulnerabilities in DNS and DNSSEC" by Ariyapperuma and Mitchell. This paper is about DNSSEC. DNS, as is, is an insecure system; DNSSEC is a proposed extension to DNS to mitigate some of the security concerns. It is not yet widespread.
This paper uses the term man-in-the-middle (MITM)
attack. These days, we use the term
person-in-the-middle attack, or an on-path attacker.
- Section 2 gives an overview of DNS. Read it if you need a refresher on the protocol, but if not, you can skip it.
- Section 3 details some of the vulnerabilities to which DNS is open.
- Section 4 describes DNSSEC, which addresses some of the vulnerabilities in Section 3. DNSSEC has its own problems, however, which are detailed in Section 5. A good way to test your understanding of DNSSEC is to answer the question "Why are chains of trust necessary?". As an additional resource, this site has a decent explanation of why DNSSEC doesn't use a more straightforward application of public-key cryptography.
- What are the consequences for users (such as yourself) of the vulnerabilities of DNS?
- Why must DNSSEC be backwards-compatible with DNS?
- Who should be in charge of the root key? You can read about the root key process—one of Katrina's favorite things—here, and even watch a livestream of the most recent ceremony! It's a riveting four-and-a-half hours.
Question for Recitation
Before you come to this recitation, you'll turn in a brief answer to the following questions (really—we don't need more than a sentence or so for each question). Your TA will be in touch about exactly how to turn that in.
Your answers to these questions should be in your own words, not direct quotations from the paper.
- From a security standpoint, what does DNSSEC provide? (e.g., confidentially, authentication, etc.)
- How does it provide that?
- Why is DNSSEC necessary (or is it necessary?), and why hasn't it been fully deployed?