Trust Infrastructure and DNSSEC Deployment. Allison Mankin [email protected] 5th Annual PKI R&D Workshop 2006. Why DNSSEC. Good security is multi-layered and preventive Multiple defense barriers in physical world Multiple ‘layers’ in the networking world DNS infrastructure
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
myhost.example.com = 192.0.2.1
Plus signature for myhost.example.com
Attacker can not forge this answer without the associated private keys.
Under normal circumstances, this [a way that the BlackBerry Router can be shut down using a flaws in the routing protocol] should be viewed as an internal-only vulnerability because the BlackBerry Router will only communicate with the BlackBerry Infrastructure. An external user attempting to exploit this needs to manipulate Domain Name System (DNS) queries. This results in a denial of service and does not require any further action to interrupt connectivity to external services. Enterprises can mitigate the risk of DNS hijacking by creating static entries in their local DNS or HOSTS tables for the BlackBerry Infrastructure.
Mar 2005 style
ISP server attack
Valid reply with poisoned additional information. False .com server address installed in ISP servers - 10% of servers vulnerable
Hypothetical attack: a new signature is added by X, whose public key resides at a false domain Y. A commercially successful DNS attack last year used the same vulnerabilities and topology.