Page 46 - Read Online
P. 46
Kim et al. J Surveill Secur Saf 2020;1:34-60 I http://dx.doi.org/10.20517/jsss.2020.14 Page 39
related to domain names as a DNS server database element, which is used to respond to DNS client queries.
RRs are added to the DNS namespace generated by the DNS server and consist of various types, including
the following:
(1) A and AAAA: A - IPv4 address or AAAA - IPv6 address.
(2) CNAME (Canonical Names): domain name aliases, used for mapping an alias to a domain name.
(3) NS (Name Server): indicates a specific authoritative name server or a name server address.
(4) Others: MX (Mail Exchange) - mapping the domain to an SMTP email server, PTR (Pointer) -
Reversing IP address to Domain name resolution (reverse DNS lookup), and TXT - readable information.
2.1.3 DNS limitations
The major vulnerability in DNS is the lack of security. The original DNS protocol did not consider this
issue in depth. Thus, DNS data could be forged to translate to a malicious IP address, so that Internet users
would connect to a non-authorized site. This could, for example, be used to distribute false information or
to surreptitiously collect personal information. DNS does not provide a way to verify that the received IP
address translation is authentic. A corrupted or intercepted DNS response may provide false information to
[4,7]
any requester. DNSSEC has been developed to overcome this fundamental security vulnerability of DNS .
2.2 DNSSEC
DNSSEC, which is an Internet standard technology, aims to eliminate this vulnerability of DNS. DNSSEC
[4-7]
was originally standardized in 2005 as IETF RFCs 4033 through 4035 . Using two keys - the Zone Signing
Key and Key Signing Key (KSK) - to create digital signatures with Public Key Cryptography, DNSSEC
guarantees integrity and authentication for DNS data.
2.2.1 DNSSEC purpose
DNSSEC significantly enhances DNS security by adding Public Key Cryptography to the existing DNS.
The DNS cache poisoning attack, for instance, configures an ISP’s local DNS resolvers and their cache
to map specific domain names to malicious IP addresses. As a solution to such DNS fundamental
security problems, DNSSEC provides strong authentication using digital signatures, based on Public Key
[4,7]
Cryptography .
2.2.2 DNSSEC philosophy
Figure 4 shows the basics of data authentication using public-key cryptography.
(1) Alice generates an asymmetric key pair, composed of a Public and a Private key.
(2) Alice distributes the Public key to the Internet.
(3) Alice creates “signature” by signing the plain text with her Private key.
(4) Alice transmits “signature” along with “original data” to Bob.
(5) Bob receives “original data” with “signature” from Alice
(6) Bob looks up the Public key of Alice
(7) Bob performs the signature validation of “original data” with “signature”, using Alice’s Public key.
(8) If the signature is successfully verified, then Bob is assured that the original data purportedly from Alice
is correct.
DNSSEC applies the digital signature mechanism to resource records (RRs) to protect the data itself, which
is set in each section of the response message. DNSSEC has added four new RR types to existing DNS
records; these are Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), NSEC/NSEC3, and
DS. These record types support the digital signatures and the signature verification process [6,19] .
(1) RRSIG: This RR has a signature for a DNSSEC-secured record set.
(2) DNSKEY: This RR contains the public key to verify the signature in RRSIG records.
(3) NSEC/NSEC3: This RR is for the explicit denial-of-existence of a DNS record.
