On the performance and analysis of DNS security extensions

Authors:
Reza Curtmola;Aniello Del Sorbo;Giuseppe Ateniese
Affiliations:
Information Security Institute and Department of Computer Science, Johns Hopkins University, Baltimore, MD;Information Security Institute and Department of Computer Science, Johns Hopkins University, Baltimore, MD;Information Security Institute and Department of Computer Science, Johns Hopkins University, Baltimore, MD
Venue:
CANS'05 Proceedings of the 4th international conference on Cryptology and Network Security
Year:
2005

Citing 12
Cited 1

Network security via private-key certificates

ACM SIGOPS Operating Systems Review
How to withstand mobile virus attacks (extended abstract)

PODC '91 Proceedings of the tenth annual ACM symposium on Principles of distributed computing
A new approach to DNS security (DNSSEC)

CCS '01 Proceedings of the 8th ACM conference on Computer and Communications Security
DNS performance and the effectiveness of caching

IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
UMAC: Fast and Secure Message Authentication

CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Keying Hash Functions for Message Authentication

CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
New client puzzle outsourcing techniques for DoS resistance

Proceedings of the 11th ACM conference on Computer and communications security
Using client puzzles to protect TLS

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Using the domain name system for system break-ins

SSYM'95 Proceedings of the 5th conference on USENIX UNIX Security Symposium - Volume 5
DNS and BIND security issues

SSYM'95 Proceedings of the 5th conference on USENIX UNIX Security Symposium - Volume 5
On the possibility of constructing meaningful hash collisions for public keys

ACISP'05 Proceedings of the 10th Australasian conference on Information Security and Privacy
How to break MD5 and other hash functions

EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques

A Proxy View of Quality of Domain Name Service, Poisoning Attacks and Survival Strategies

ACM Transactions on Internet Technology (TOIT)

Quantified Score

Hi-index	0.00

Visualization

Abstract

The Domain Name System (DNS) is an essential component of the critical infrastructure of the Internet. The role of DNS is vital, as it is involved in virtually every Internet transaction. It is sometimes remarked that DNS works well as it is now and any changes to it may disrupt its functionality and add complexity. However, due to its importance, an insecure DNS is unacceptable for current and future networks. The astonishing simplicity of mounting an attack against the DNS and the damaging potential of such an attack should convince practitioners and system administrators to employ a secure version of DNS. However, security comes with a cost. In this paper, we examine the performance of two proposals for secure DNS and we discuss the advantages and disadvantages of both. In particular, we analyze the impact that security measures have on the performance of DNS. While it is clear that adding security will lower DNS performance, our results show that the impact of security can be mitigated by deploying different security extensions at different levels in the DNS tree. We also describe the first implementation of the SK-DNSSEC [1] protocol. The code is freely downloadable and released under an open-source license.