Project Description

  • The DNS Security Extensions (DNSSEC) are among the first attempts to add cryptographic defense into a large Internet-scale system. After over a decade of development, the underlying cryptographic design is sound but system barriers are blocking deployment. This project aims to identify and remove major barriers in DNSSEC deployment, and derive general principles that can guide cryptographic deployment in other large systems.
  • The three concrete research results we have obtained so far include: (1) we have incorporated caches into cryptographic defense; (2) we have devised error-tolerant authentication rules; (3) we have favored high-probability checks over idealized perfect checks based on unachievable operations. The three major impact areas of this project include: (1) Removal of DNSSEC deployment barriers; (2) Cryptographic rules for loosely-coupled caching systems; and (3) Lessons for other large system defense.

DNSSEC Deployment Barriers & Our Solutions

  • Incremental deployment and Islands of DNS Security

    
Exploring use of well known public space for publishing keys, signatures, and keys' actions to bridge gaps in DNSSEC deployment.

  • Off-Line Keys and Dynamic Data

    Redesign to include on-line keys with confined scopes.

  • Key Revocation

    Designing a soft-state solution to enable fast key revocation with DNS's heavy use of caching.

  • Denial of Existence and Exposing Privacy

    
Redesign using Bloom filter digests to obscure data.

Contact

Daniel Massey
Email: massey [@cs.colostate.edu]

Batsukh Tsendjav
Email: batsukh [@cs.colostate.edu]