Take up DNSSEC When Needed
Abstract
The threats of caching poisoning attacks largely stimulate the deployment of DNSSEC. Being a strong but demanding cryptographical defense, DNSSEC has its universal adoption predicted to go through a lengthy transition. Thus the DNSSEC practitioners call for a secure yet lightweight solution to speed up DNSSEC deployment while offering an acceptable DNSSEC-like defense. This paper proposes a new defense against cache poisoning attacks, still using but lightly using DNSSEC. In the solution, DNS operates in the DNSSEC-oblivious mode unless a potential attack is detected and triggers a switch to the DNSSEC-aware mode. The performance of the defense is analyzed and validated. The modeling checking results demonstrate that only a small DNSSEC query load is needed to ensure a small enough cache poisoning success rate.
- Publication:
-
arXiv e-prints
- Pub Date:
- February 2016
- DOI:
- 10.48550/arXiv.1602.08459
- arXiv:
- arXiv:1602.08459
- Bibcode:
- 2016arXiv160208459W
- Keywords:
-
- Computer Science - Cryptography and Security