From the Beginning: Key Transitions in the First 15 Years of DNSSEC

Osterweil, Eric; Tehrani, Pouyan Fotouhi; Schmidt, Thomas C.; Wählisch, Matthias

doi:10.1109/tnsm.2022.3195406

Cited by 3 publications

(1 citation statement)

References 30 publications

(45 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The traditional DNS protocol, namely Do53 protocol, is not authenticated and encrypted, resulting in many security and privacy issues. To address the security issues caused by the lack of authentication, IETF engineers added a security extension to the Do53 protocol, called the Domain Name System Security Extension (DNSSEC) [ 20 ]. The DNSSEC uses digital signatures based on public key encryption to enhance the DNS verification strength, including data source verification and data integrity protection.…”

Section: Related Workmentioning

confidence: 99%

DNS-BC: Fast, Reliable and Secure Domain Name System Caching System Based on a Consortium Blockchain

Gao

Dong

2023

Sensors

View full text Add to dashboard Cite

The Domain Name System (DNS) is a fundamental component of the internet, responsible for resolving domain names into IP addresses. DNS servers are typically categorized into four types: recursive resolvers, root name servers, Top-Level Domain (TLD) name servers, and authoritative name servers. The latter three types of servers store actual records, while recursive resolvers do not store any real data and are only responsible for querying the other three types of servers and responding to clients. Recursive resolvers typically maintain a caching system to speed up response times, but these caching systems have the drawbacks of a low real-time performance, a poor accuracy, and many security and privacy issues. In this paper, we propose a caching system based on a consortium blockchain, namely DNS-BC, which uses the synchronization mechanism of the consortium blockchain to achieve a high real-time performance, uses the immutable mechanism of the consortium blockchain and our designed credibility management system to achieve up to a 100% accuracy, and has been combined with encrypted transmission protocols to solve common security and privacy issues. At the same time, this caching system can greatly reduce the traffic that name servers need to handle, thereby protecting them from Denial-of-Service (DoS) attacks. To further accelerate the data transmission speed, we have designed a new encrypted DNS protocol called DNS over KCP (DoK). The DoK protocol is based on the KCP protocol, which is a fast and reliable transmission protocol, and its latency can reach one-third of that of TCP when the network environment deteriorates. In our experiments, the transmission time of this protocol is about a quarter of that of the widely used encrypted protocols DNS over TLS (DoT) and DNS over HTTPS (DoH).

show abstract

Section: Related Workmentioning

confidence: 99%

DNS-BC: Fast, Reliable and Secure Domain Name System Caching System Based on a Consortium Blockchain

Gao

Dong

2023

Sensors

View full text Add to dashboard Cite

show abstract

Authenticated and Secure Automotive Service Discovery with DNSSEC and DANE

Mueller

Häckel

Meyer

et al. 2023

2023 IEEE Vehicular Networking Conference (VNC)

View full text Add to dashboard Cite

A Security Model for Web-Based Communication

Tehrani,

Osterweil,

Schmidt

et al. 2024

Commun. ACM

View full text Add to dashboard Cite

Web access involves various protocols to resolve domain names to IP addresses, establish data exchange channels with Web servers, and to authenticate communication partners. Each protocol has its own set of requirements and security measures. In addition to technical features, operating the Web also introduces organizational and political aspects which are important to consider when deploying a secure basis for Web-based communication. In this paper, we propose an algorithmic security model based on the widely deployed technologies DNS(SEC) and Web PKI to cover the three dimensions identification , resolution , and transaction . Our model enables quantification and qualification of the security assurance provided by an online service provider. To verify the applicability of our model, we investigate the online presence of Alerting Authorities in the U.S., selected German Emergency Service providers, and UN member states . We observe partially enhanced security relative to global Internet trends, yet find cause for concern as only about 6% of unique hosts cater to secure resolution. About 46% of investigated organizations use shared certificates with 1% of all organizations having no or invalid certificates. Two thirds of organizations are not uniquely identifiable and as such lack the basic requirement of trustworthy communication.

show abstract

From the Beginning: Key Transitions in the First 15 Years of DNSSEC

Cited by 3 publications

References 30 publications

DNS-BC: Fast, Reliable and Secure Domain Name System Caching System Based on a Consortium Blockchain

DNS-BC: Fast, Reliable and Secure Domain Name System Caching System Based on a Consortium Blockchain

Authenticated and Secure Automotive Service Discovery with DNSSEC and DANE

A Security Model for Web-Based Communication

Contact Info

Product

Resources

About