Gijs van den Broek
11 November 2011
The Domain Name System provides a critical service on the Internet, where it allows host names to be translated to IP addresses. However, it does not provide any guarantees about authenticity and origin integrity of resolution data. This makes DNS vulnerable to various types of attacks. DNSSEC attempts to mitigate these vulnerabilities through the application of cryptographic signatures to DNS records. DNSSEC responses are generally larger than plain DNS responses, because of the signatures. Some of these larger responses experience fragmentation, which in turn might be partially blocked by some firewalls. Apparently unresolvable zones may in those cases be a consequence. Our research focuses on the consideration of a number of in and out-of standard solutions to this problem. These solutions will be tested using a name server setup in a lab environment.