May 05 2010

Why is DNSSEC Important?

Yesterday, I touched on DNSSEC and the potential impact it could have on Internet connections where consumer grade hardware was involved.

So what was the big deal?

In the past, there have been issues with “DNS spoofing” where an attacker tricks a computer into going to an IP address other than that associated with a domain name. This problem was exacerbated by the fact that UDP (User Datagram protocol) does not require any sort of handshaking compared to TCP (Transmission Control Protocol) and does not include a source IP address in the header of the packet. This lack of source identification or signature has been the “Achilles heel” of an otherwise robust implementation of DNS.

So what is the solution?

Basically, the solution is to add digital signature to the DNS response which can be verified against a special record in the DNS server in an implementation of public-key cryptography. It is important to note that this implementation only affords authenticity but not confidentiality though. Doing this does present a problem though.

DNSSEC pushes beyond 512 bytes which is the maximum expected length of a standard DNS request over UDP in a variety of consumer grade routers. Normally, that wouldn’t be such a big deal since we can use TCP instead but unfortunately, affected routers either see DNSSEC responses using TCP and over 512 bytes as some sort of attack or simply ignore the responses altogether.

Oops.

For the most part, there doesn’t seem to have been any widespread issues as a result of DNSSEC going live but I guess it is still early days. I’d be interested to see if the technology media detects anything over the next week or so just in case.

Boydo

My name is Boyd and I’m a Service Management Specialist with a knack for operational data gathering, transformation, analysis and reporting.

In 2012, I obtained my Masters of Science in Information Technology through the University of New South Wales @ The Australia Defence Force Academy (UNSW@ADFA).

I was also part of an online community known as the Panasonic Insider Crew in the capacity of “Insider Guru” for Panasonic Australia where I interacted with other tech enthusiasts and find out more about Panasonic's latest gadgets.

I love technology, gadgets, and the Internet and maintain a keen interest in these areas locally, nationally, and globally. I hope by sharing my views on these topics that people will receive an honest point of view from someone with a genuine interest in these topics.

I have also written and edited articles for Neowin - you can check out my articles over @ https://www.neowin.net/news/poster/boyd_chan

I hope you enjoy reading my blog!

1 ping

  1. […] This post was mentioned on Twitter by Boyd Chan. Boyd Chan said: Boydo's Tech Talk Update: Why is DNSSEC Important? (http://bit.ly/aVT8Je) #in #boydo #DNS #DNSSEC #TCP #UDP […]

Leave a Reply

Your email address will not be published.