CT-ISG Collaborative Research: DNS Security Revisited: Enabling Cryptographic Defenses in Large-Scale Distributed Systems
PIs: Lixia Zhang (UCLA), Songwu Lu (UCLA), and Dan Massey (Colorado State)
The Domain Name System (DNS) is a core Internet protocol and virtually all Internet applications rely on some form of DNS data. This project is identifying and addressing fundamental technical challenges in deploying the DNS Security Extensions (DNSSEC) in the global Internet. DNSSEC aims at enhancing DNS with data origin authentication and data integrity checking by applying well defined cryptographic solutions, however a number of system issues have arisen in the process of moving the cryptographic solution to real deployment. This project is first conducting a systematic assessment of the gap between the DNSSEC specification and the deployment constraints. For each identified technical challenge, the project is proposing, implementing, and evaluating specific solutions and then integrating such solutions into a unified design improvement.
DNSSEC deployment is critical to enhanced security in cyberspace, and this effort will help move it forward by overcoming existing roadblocks, foreseeing new obstacles on the road, and developing enabling techniques to clear these obstacles. The project will also extrapolate a set of lessons and principles on major challenges in deploying cryptographic protection in large scale systems, which will hopefully provide input into other cryptographic deployment effort, such as the global routing system.