| The Domain Name System (DNS) provides hostname to IP mapping for every host on Internet and is a highly successful and critical part of the Internet infrastructure. It is a globally distributed database, whose performance critically depends on the use of caching. After serving the Internet for over 30 years, DNS today are now confronted with an increasing number of threats and attacks and each of them, if succeeded, would cause dysfunction of the Internet service and lead to conceivable economic loss. As a matter of fact, these threats have been identified back in 1985 and the DNSSEC project was put under development since then. DNSSEC, short for DNS Security Extension, is a set of extensions to the existing DNS protocol and provides authentication Data Integrity by associating cryptographically generated digital signatures with DNS RRsets. DNSSEC is designed to protect the Internet from certain attacks, such as DNS cache poisoning and spoofing attacks. In this article, we talked about DNS's working mechanism and provided a threat analysis that DNS is facing, with emphasizes on DNSSEC zone deployment and key management practices in post-deployment stage. Also we briefly discussed DNSSEC's disadvantages over DNS and what the DNSSEC cannot do. Some DNSSEC operations are not covered here due to limitations of this project, such as zone transfer protection using TSIG and caching name server configurations. |
PDF Full Text Request