Abstract
Although the Domain Name System (DNS) was designed as a naming system, its features have made it appealing to repurpose it for the deployment of novel systems. One important class of such systems are security enhancements, and this work sheds light on their deployment. We show the characteristics of these solutions and measure reliability of DNS in these applications. We investigate the compatibility of these solutions with the Tor network, signal necessary changes, and report on surprising drawbacks in Tor’s DNS resolution.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Allman, E., Katz, H.: SMTP Service Extension for Indicating the Responsible Submitter of an E-Mail Message. RFC 4405 (2006)
Bajpai, V., Eravuchira, S.J., Schönwälder, J.: Lessons learned from using the RIPE Atlas platform for measurement research. In: SIGCOMM CCR (2015)
Buddhdev, A.: Testing your Resolver for DNS Reply Size Issues (2009). https://goo.gl/gU7mNu
Crocker, D., Hansen, T., Kucherawy, M.: DomainKeys Identified Mail (DKIM) Signatures. RFC 6376 (2011)
Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. Technical report, DTIC Document (2004)
Hallam-Baker, P., Stradling, R.: DNS Certification Authority Authorization (CAA) Resource Record. RFC 6844 (2013)
Hätönen, S., Nyrhinen, A., Eggert, L., Strowes, S., Sarolahti, P., Kojo, M.: An experimental study of home gateway characteristics. In: ACM IMC (2010)
Hoffman, P., Schlyter, J.: The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. RFC 6698 (2012)
Huston, G.: A Question of DNS Protocols (2013). https://goo.gl/d8kwCK
Kitterman, S.: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. RFC 7208 (2014)
Kucherawy, M., Zwicky, E.: Domain-Based Message Authentication, Reporting, and Conformance (DMARC). RFC 7489 (2015)
Langley, A.: Why not DANE in browsers (2015). https://goo.gl/0kVppI
Laurie, B., Langley, A., Kasper, E.: Certificate Transparency. RFC 6962 (2013)
Laurie, B., Phaneuf, P., Eijdenberg, A.: Certificate transparency over DNS (2016). https://goo.gl/PoLkmu
Lyon, J.: Purported Responsible Address in E-Mail Messages. RFC 4407 (2006)
Nikkhah, M., Dovrolis, C., Guérin, R.: Why didn’t my (great!) protocol get adopted? In: HotNets (2015)
Pappas, V., Xu, Z., Lu, S., Massey, D., Terzis, A., Zhang, L.: Impact of configuration errors on DNS robustness. In: SIGCOMM CCR (2004)
Vixie, P.: Extension Mechanisms for DNS (EDNS0). RFC 2671 (1999)
Weaver, N., Kreibich, C., Nechaev, B., Paxson, V.: Implications of Netalyzrs DNS measurements. In: SATIN (2011)
Acknowledgment
We gratefully acknowledge support from ETH Zurich and from the Zurich Information Security and Privacy Center (ZISC). We thank Brian Trammell and the anonymous reviewers, whose feedback helped to improve the paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 International Financial Cryptography Association
About this paper
Cite this paper
Szalachowski, P., Perrig, A. (2017). Short Paper: On Deployment of DNS-Based Security Enhancements. In: Kiayias, A. (eds) Financial Cryptography and Data Security. FC 2017. Lecture Notes in Computer Science(), vol 10322. Springer, Cham. https://doi.org/10.1007/978-3-319-70972-7_24
Download citation
DOI: https://doi.org/10.1007/978-3-319-70972-7_24
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70971-0
Online ISBN: 978-3-319-70972-7
eBook Packages: Computer ScienceComputer Science (R0)