Adaptive DNSSEC

Daniel Dubnikov
OARC 37,
DNS security


Several different DNSSEC configurations have been suggested in recent years in an attempt to address different security and privacy issues in the DNS system. In this presentation we briefly review, and analyse the performances of different configurations using a baseline throughput measurement (based on DNSPERF). We show that while each configuration serves an important role by solving some issues (e.g.: Zone Walking, Scalability for Large Zones), the overall throughput of the system is degraded, and this opens the door to DDoS amplification attacks due to the much larger message size, and extra cryptography computations.

Our goal is to design and implement (PoC level implementation) of a high throughput communication link between DNS resolver and authoritative servers that provides proof of authenticity and at the same time disables zone waking attacks. The motivation is to provide the same level of security as DNSSEC without the poor performances that come with it during a flood of NX requests attack, and without opening the door to zone walking attacks.

We designed and implemented an adaptive communication protocol between recursive resolver and authoritative servers with the above properties. We implemented a PoC that works (with Knot servers) at a throughput close to that of the standard DNS protocol, w/o DNSSEC (20,500 rps, requests per second, compared to 23,500 rps in plain DNS). We note that if one is willing to scarify and enable zone walking attacks, then a much higher throughput solution is possible as demonstrated by the NSEC3 aggressive caching implementation in Knot.

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on email