Read “Security Vulnerabilities in DNS and DNSSEC (PDF)” by Suranjith Ariyapperuma and Chris Mitchell. This paper is about DNSSEC. DNS, as is, is an insecure system; DNSSEC is a proposed extension to DNS to mitigate some of the security concerns. It is not yet widespread.
- Section 2 gives an overview of DNS. Read it if you need a refresher on the protocol, but if not, you can skip it.
- Section 3 details some of the vulnerabilities to which DNS is open.
- Section 4 describes DNSSEC, which addresses some of the vulnerabilities in Section 3. DNSSEC has its own problems, however, which are detailed in Section 5.
As you read, think about
- What are the consequences for users (such as yourself) of the vulnerabilities of DNS?
- Why must DNSSEC be backwards-compatible with DNS?
- Why are chains of trust necessary?
- Who should be in charge of the root key?
Questions for Recitation
Before you come to this recitation, write up (on paper) a brief answer to the following (really—we don’t need more than a couple sentences for each question).
Your answers to these questions should be in your own words, not direct quotations from the paper.
- From a security standpoint, what does DNSSEC provide? (e.g., confidentially, authentication, etc.)
- How does it provide that?
- Why is DNSSEC necessary (or is it necessary?), and why hasn’t it been fully deployed?
As always, there are multiple answers to each of these question