Domeinnaamhandtekening (DNSSEC)

Waarom

Hieronder vindt je enkele links naar beschrijvingen van enkele bekende incidenten die DNSSEC waarschijnlijk had kunnen voorkomen.

• "Cache-poisoning attack snares top Brazilian bank"
• "Eircom reveals ‘cache poisoning’ attack by hacker led to outages"
• "DNS cache poisonings foist malware attacks on Brazilians"
• "Cache Poisoning of Mail Handling Domains Revisited"
• "Neither Snow Nor Rain Nor MITM... An Empirical Analysis of Email Delivery Security"

Hieronder volgt een citaat uit de laatstgenoemde onderzoekspublicatie:

Mail security, like that of many other protocols, is intrinsically tangled with the security of DNS resolution. Rather than target the SMTP protocol, an active network attacker can spoof the DNS records of a destination mail server to redirect SMTP connections to a server under the attacker’s control. [...] We find evidence that 178,439 out of 8,860,639(2.01%) publicly accessible DNS servers provided invalid IPs or MX records for one or more of these domains.

Gebruiksstatistieken

• Pulse - DNSSEC metric door Internet Society
• .nl-statistieken over DNSSEC door SIDN Labs
• DNSSEC Validation Measurement door APNIC
• DNSSEC Deployment Report

Achtergrondinformatie

• FAQ over DNSSEC door SIDN
• ISOC's Deploy360 over DNSSEC
• DNSSEC.net
• Wikipedia on DNSSEC
• Knowledge-Sharing and Instantiating Norms for DNS and Naming Security (KINDNS)

Specificaties

• RFC 4033: DNS Security Introduction and Requirements
• RFC 4034: Resource Records for the DNS Security Extensions
• RFC 4035: Protocol Modifications for the DNS Security Extensions
• RFC 8624: Algorithm Implementation Requirements and Usage Guidance for DNSSEC
• RFC 9276: Guidance for NSEC3 Parameter Settings