0

I'm currently revising for an exam to do with DNS/DNSSEC.

While I know DNSSEC provides various security enhancements for DNS, I would like to dive a bit deeper(for my own thirst for knowledge!) and would like to know what is still problematic security wise even after DNSSEC is employed? After all it can't have solved all programs DNS was having with regards to security, right?

Thanks

chmeee
  • 7,270
  • 3
  • 29
  • 43
KP65
  • 117
  • 3

5 Answers5

1

The primary issues that DNSSEC don't solve are:

  1. false data inserted at the master server - if someone hacks your DNS operator they can in theory insert false data that will be signed with your own key.

  2. encryption of DNS queries - the content of the queries and the resulting answers is still clear text on the wire

The former problem is currently unsolved. The latter one is not really seen as a real security issue, since many people willingly allow third parties (Google, OpenDNS, etc) to see their DNS queries anyway.

Alnitak
  • 20,901
  • 3
  • 48
  • 81
1

It depends in what are your definition of "security". If we use the "CIA triad" -confidentiality, integrity and availability-, DNSSEC only apply (and was designed) for the second one: integrity.

huguei
  • 31
  • 2
1

This question really should be, "What DOES DNSSEC do?"

To answer that, DNSSEC is a way to verify that the data you're getting back from the server is legitimate. The records are signed with a private key which can then be verified using the public key published in the record set.

It does not encrypt the records to keep people from seeing them (the whole point of DNS is to distribute that information for public consumption, so this isn't a concern in the vast majority of cases anyway).

It also does not protect against DDoS attacks, reflection attacks, amplification attacks, etc.

You might also refer to RFC 3833, Threat Analysis of the Domain Name System for more information.

Justin Scott
  • 8,748
  • 1
  • 27
  • 39
  • some of the threats documented in RFC 3833 were addressed by later DNSSEC RFCs. §2.6 and §2.7 (proof of non-existence and wildcards) are fixed by NSEC, for example. – Alnitak Apr 29 '10 at 14:56
-2

The best answer to this is to have a look at DJB's writings on this:

http://cr.yp.to/djbdns/forgery.html

LWN has some good articles too:

http://lwn.net/Articles/230050/

And some great answers from this very site:

DNSCurve vs DNSSEC

LapTop006
  • 6,466
  • 19
  • 26
-3

You may find this discussion interesting.

chmeee
  • 7,270
  • 3
  • 29
  • 43