DNS and BIND
Using the domain name system for system break-ins
SSYM'95 Proceedings of the 5th conference on USENIX UNIX Security Symposium - Volume 5
Hi-index | 0.00 |
Domain Name System Security Extensions (DNSSEC) architecture is based on public-key cryptography. A secure DNS zone has one or more keys to sign its resource records in order to provide two security services: data integrity and authentication. These services allow to protect DNS transactions and permit the detection of attacks on DNS. The DNSSEC validation process is based on the establishment of a chain of trust between secure zones. To build this chain, a resolver needs a secure entry point: a key of a DNS zone configured in the resolver as trusted. Then, the resolver must find a path from one of its secure entry point toward the DNS name to be validated. But, due to the incremental deployment of DNSSEC, some zones will remain unsecure in the DNS tree. Consequently, numerous trusted keys should be configured in resolvers to be able to build the appropriate chains of trust. In this paper, we present a model that reduces the number of trusted keys in resolvers and ensures larger secure access to the domain name space. This model has been implemented in BIND.