Deploying Cryptography in Internet-Scale Systems: A Case Study on DNSSEC

@article{Yang2011DeployingCI,
  title={Deploying Cryptography in Internet-Scale Systems: A Case Study on DNSSEC},
  author={Hao Yang and Eric Osterweil and Daniel Massey and Songwu Lu and Lixia Zhang},
  journal={IEEE Transactions on Dependable and Secure Computing},
  year={2011},
  volume={8},
  pages={656-669}
}
The DNS Security Extensions (DNSSEC) are among the first attempts to deploy cryptographic protections in an Internet-scale operational system. DNSSEC applies well-established public key cryptography to ensure data integrity and origin authenticity in the DNS system. While the cryptographic design of DNSSEC is sound and seemingly simple, its development has taken the IETF over a decade and several protocol revisions, and even today its deployment is still in the early stage of rolling out. In… Expand
Making the Case for Elliptic Curves in DNSSEC
TLDR
This paper argues that the choice for RSA as default cryptosystem in DNSSEC is a major factor in these three problems, and starts research that aims to investigate the viability of deploying ECC at a large scale inDNSSEC. Expand
Improving DNS security: a measurement-based approach
TLDR
This thesis shows that alternative cryptographic algorithms based on Elliptic Curve Cryptography (ECC) are much more suited for DNSSEC and solve the two problems discussed before, and introduces a unique large-scale long-term active measurement infrastructure for the DNS. Expand
The Performance Impact of Elliptic Curve Cryptography on DNSSEC Validation
TLDR
A model is developed that accurately predicts how many signature validations DNS resolvers have to perform and conclusively shows that switching DNSSEC to ECC signature schemes does not impose an insurmountable load on DNS resolver, even in worst case scenarios. Expand
Building a threshold cryptographic distributed HSM with docker containers
TLDR
A distributed signer system based on threshold cryptography, called Poor Man's Hardware Security Module (pmHSM), which provides the signature components of an HSM over inexpensive commodity hardware to support the operational signing workflow of DNSSEC. Expand
Building a threshold cryptographic distributed HSM with docker containers
TLDR
A distributed signer system based on threshold cryptography, called Poor Man's Hardware Security Module (pmHSM), which provides the signature components of an HSM over inexpensive commodity hardware to support the operational signing workflow of DNSSEC. Expand
DNSSEC vs. DNSCurve: A Side-by-Side Comparison
TLDR
This work aims to provide a comprehensive and constructive comparison between the aforementioned security mechanisms and theoretically cross-evaluate and assess the benefits and the drawbacks of each particular mechanism based on several distinct criteria in order to decide which mechanism is the best fit for each particular deployment. Expand
On the adoption of the elliptic curve digital signature algorithm (ECDSA) in DNSSEC
TLDR
This paper study the actual adoption of ECDSA by DNSSEC operators, based on longitudinal datasets covering over 50% of the global DNS namespace over a period of 1.5 years, and demonstrates there are barriers to deployment that hamper adoption. Expand
Is the Internet Ready for DNSSEC: Evaluating Pitfalls in the Naming Infrastructure
TLDR
The evaluation results indicate that DNSSEC deployment is a cost-benefit decision, and full adoption thereof requires upgrading significant parts of the DNS infrastructure, including legacy infrastructure, and lack of protocol support. Expand
The Performance of ECC Algorithms in DNSSEC: A Model-based Approach
The Domain Name System (DNS) resolves domain names to IP addresses on the Internet. Several vulnerabilities in DNS led to the development and deployment of a secure extension, DNSSEC, whichExpand
Measuring the Practical Impact of DNSSEC Deployment
TLDR
A large-scale measurement of the effects of DNSSEC on client name resolution using an ad network to collect results from over 500,000 geographically-distributed clients shows that enablingDNSSEC measurably increases end-to-end resolution failures and corroborates those of previous researchers in showing that a relatively small fraction of users are protected by DNSSec-validating resolvers. Expand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 66 REFERENCES
Quantifying the operational status of the DNSSEC deployment
TLDR
The results provide the first comprehensive look at DNSSEC's deployment and reveal a number of challenges that were not anticipated in the design but have become evident in the deployment. Expand
Security Through Publicity
TLDR
A novel concept called the public-space that makes complete information of digital entities' actions publicly available to every user is proposed, a structured framework that maintains a large number of entities, their actions, relationships, and histories. Expand
Public key validation for the DNS security extensions
TLDR
This paper compares three potential approaches to DNS key validation and shows the hybrid mesh approach has the best chance of succeeding in the Internet. Expand
Zone state revocation for DNSSEC
TLDR
Zone State Revocation (ZSR), a lightweight and backward compatible enhancement to DNSSEC, enables zones to explicitly revoke keys using self-certifying certificates, and enables DNS name-servers to opportunistically inform distributed caching resolvers of key revocations via lightweight control messages. Expand
Threat Analysis of the Domain Name System (DNS)
TLDR
This note attempts to document some of the known threats to the DNS, and attempts to measure to what extent (if any) DNSSEC is a useful tool in defending against these threats. Expand
Using the Domain Name System for System Break-ins
  • S. Bellovin
  • Computer Science
  • USENIX Security Symposium
  • 1995
TLDR
It is demonstrated how the DNS can be abused to subvert system security, using a vulnerability first noticed by P.V. Mockapetris. Expand
Domain Name System Security Extensions
TLDR
Extensions to the DNS are described that provide these services to security aware resolvers or applications through the use of cryptographic digital signatures and are included in secured zones as resource records. Expand
Security Mechanisms for the Internet
TLDR
A number of different choices are reviewed, explaining the properties of each, and the precise one that is appropriate in any given situation can vary. Expand
DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
TLDR
An alternative resource record, NSEC3, is introduced, which similarly provides authenticated denial of existence, however, it also provides measures against zone enumeration and permits gradual expansion of delegation-centric zones. Expand
Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag
TLDR
This document updates RFC 2535 and RFC 3755 on the concept of a public key acting as a secure entry point (SEP) in the Domain Name System KEY (DNSKEY) resource record set. Expand
...
1
2
3
4
5
...