Cited By
View all- Goertzen JStebila D(2023)Post-Quantum Signatures in DNSSEC via Request-Based FragmentationPost-Quantum Cryptography10.1007/978-3-031-40003-2_20(535-564)Online publication date: 16-Aug-2023
Poster: The Unintended Consequences of Algorithm Agility in DNSSEC
Pages 3363 - 3365
Abstract
Cryptographic algorithm agility is an important property for DNSSEC: it allows easy deployment of new algorithms if the existing ones are no longer secure. In this work we show that the cryptographic agility in DNSSEC, although critical for provisioning DNS with strong cryptography, also introduces a vulnerability. We find that under certain conditions, when new algorithms are listed in signed DNS responses, the resolvers do not validate DNSSEC. As a result, domains that deploy new ciphers may in fact cause the resolvers not to validate DNSSEC. We exploit this to develop DNSSEC-downgrade attacks and experimentally and ethically evaluate them against popular DNS resolver implementations, public DNS providers, and DNS services used by web clients worldwide. We find that major DNS providers as well as 45% of DNS resolvers used by web clients are vulnerable to our attacks.
References
[1]
Markus Brandt, Tianxiang Dai, Amit Klein, Haya Shulman, and Michael Waidner. 2018. Domain Validation For MitM-Resilient PKI. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2060--2076.
[2]
Tianxiang Dai, Philipp Jeitner, Haya Shulman, and Michael Waidner. 2021. The Hijackers Guide To The Galaxy:$$Off-Path$$ Taking Over Internet Resources. In 30th USENIX Security Symposium (USENIX Security 21). 3147--3164.
[3]
Tianxiang Dai, Haya Shulman, and Michael Waidner. 2016. Dnssec misconfigurations in popular domains. In International Conference on Cryptology and Network Security. Springer, 651--660.
[4]
Amir Herzberg and Haya Shulman. 2013. Fragmentation Considered Poisonous: or one-domain-to-rule-them-all.org. In IEEE CNS 2013. The Conference on Communications and Network Security, Washington, D.C., U.S. IEEE.
[5]
Russ Housley. 2015. Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms. Technical Report. BCP 201, RFC 7696, DOI 10.17487/RFC7696, November 2015https://www. rfc ?.
[6]
IANA. 2020. Domain Name System Security (DNSSEC) Algorithm Numbers. https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml.
[7]
Dan Kaminsky. 2008. It's the End of the Cache As We Know It. In Black Hat conference. http://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Kaminsky/BlackHat-Japan-08-Kaminsky-DNS08-BlackOps.pdf.
[8]
Haya Shulman and Michael Waidner. 2017. One key to sign them all considered vulnerable: Evaluation of DNSSEC in the Internet. In 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI 17). 131--144.
Index Terms
- Poster: The Unintended Consequences of Algorithm Agility in DNSSEC
Recommendations
Poster: Off-Path DNSSEC Downgrade Attacks
ACM SIGCOMM '23: Proceedings of the ACM SIGCOMM 2023 ConferenceRecent works found that signing zones with new cryptographic ciphers may disable DNSSEC validation in DNS resolvers. Adversaries could exploit this to manipulate algorithm numbers of ciphers in DNS responses, to make them appear as unknown, hence ...
Securing Domain Name System Combined with MIPv6 for Mobile Hosts
TRUSTCOM '13: Proceedings of the 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and CommunicationsDNS is the standard mechanism for name to IP address resolution. The DNS has been extended to DNSSEC to add security by providing origin authentication and data integrity by the process of creating signatures periodically, which results in intensive ...
Securing DNS: Extending DNS Servers with a DNSSEC Validator
DNS Security Extensions (DNSSEC) is a proposed standard for securely authenticating information in the Domain Name System. DNSSEC validators check the digital signatures on DNS data. However, designing a validator worth the operational costs is a ...
Comments
Information & Contributors
Information
Published In
November 2022
3598 pages
ISBN:9781450394505
DOI:10.1145/3548606
- General Chairs:
- Heng Yin,
- Angelos Stavrou,
- Program Chairs:
- Cas Cremers,
- Elaine Shi
Copyright © 2022 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 07 November 2022
Check for updates
Author Tags
Qualifiers
- Poster
Funding Sources
- German Federal Ministry of Education and Research and the Hessian Ministry of Higher Education Research and the Arts
Conference
CCS '22
Sponsor:
CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security
November 7 - 11, 2022
CA, Los Angeles, USA
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '24
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 154Total Downloads
- Downloads (Last 12 months)66
- Downloads (Last 6 weeks)3
Reflects downloads up to
Other Metrics
Citations
Cited By
View all- Goertzen JStebila D(2023)Post-Quantum Signatures in DNSSEC via Request-Based FragmentationPost-Quantum Cryptography10.1007/978-3-031-40003-2_20(535-564)Online publication date: 16-Aug-2023
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in