Improving Response Deliverability in DNSSEC


Gijs van den Broek


11 November 2011






The Domain Name System provides a critical service on the Internet, where it allows host names to be translated to IP addresses. However, it does not provide any guarantees about authenticity and origin integrity of resolution data. This makes DNS vulnerable to various types of attacks. DNSSEC attempts to mitigate these vulnerabilities through the application of cryptographic signatures to DNS records. DNSSEC responses are generally larger than plain DNS responses, because of the signatures. Some of these larger responses experience fragmentation, which in turn might be partially blocked by some firewalls. Apparently unresolvable zones may in those cases be a consequence. Our research focuses on the consideration of a number of in and out-of standard solutions to this problem. These solutions will be tested using a name server setup in a lab environment.