Skip to Main content Skip to Navigation

Consequences of compromised zone keys in DNSSEC

Gilles Guette 1
1 ARMOR - Architectures and network models
IRISA - Institut de Recherche en Informatique et Systèmes Aléatoires, INRIA Rennes, Ecole Nationale Supérieure des Télécommunications de Bretagne
Abstract : The Domain Name System is a distributed tree-based database. The DNS protocol is largely used to translate a human readable machine name into an IP address. The DNS security extensions (DNSSEC) has been designed to protect the DNS protocol. DNSSEC uses public key cryptography and digital signatures. A secure DNS zone owns at least a key pair (public/private) to provide two security services: data integrity and authentication. To trust some DNS data, a DNS client has to verify the signature of this data with the right zone key. This verification is based on the establishment of a chain of trust between secure zones. To build this chain of trust, a DNSSEC client needs a secure entry point: a zone key configured as trusted in the client. And then, the client must find a secure path from a secure entry point to the queried DNS resource. Zone keys are critical in DNSSEC and are used in every steps of a name resolution. In this report, we present a study on consequences of a compromised key in DNSSEC. We describe compromised key attacks and we present current defenses.
Document type :
Complete list of metadata
Contributor : Rapport de Recherche Inria Connect in order to contact the contributor
Submitted on : Friday, May 19, 2006 - 7:19:28 PM
Last modification on : Thursday, February 3, 2022 - 11:15:54 AM
Long-term archiving on: : Sunday, April 4, 2010 - 8:23:41 PM


  • HAL Id : inria-00070172, version 1


Gilles Guette. Consequences of compromised zone keys in DNSSEC. [Research Report] RR-5854, INRIA. 2006, pp.13. ⟨inria-00070172⟩



Record views


Files downloads