tags:

views:

35

answers:

1
Q: 

Feasibility of modifying BIND9 encryption

Hi there, I am working on coming up for ideas on a final year project for my CS major. One of the ideas suggested by a lecturer that he would be interested in supervising would be an exploration of the application of ID-based encyption to securing DNS. From my preliminary research, I am leaning towards a project whereby I attempt to marry DNSSEC with this encryption standard.

My idea was that I might be able to use the simple DNS levels of BIND9, minus DNSSEC, and build on top of them a customised DNSSEC-like scheme. I would presumably have to modify parts of the library too, in order to use the features of RFC 2535 such as the KEY and SIG RRsets with my new scheme. Or perhaps the best approach is to edit how DNNSEC is implemented in the library and attempt to rip out OpenSSL and replace it with hooks to my own mini-encryption library? Has anyone any experience on working with the BIND library that could tell me how bad of an approach this is, how the library lends itself to extensibility, etc.?

A: 

Please clarify whether when you say "securing DNS" you mean:

  1. cryptographically signing the content of an individual DNS message (at the transport level), or
  2. cryptographically encrypting the content of an individual DNS message, or
  3. cryptographically signing DNS zone data, so that it can't be spoofed

The three features are more or less completely orthogonal.

TSIG does the first - it prevents an individual packet from being modified while it's in transit, and only works from hop to hop.

DNScurve does the second, and therefore implicitly the first too (since if a packet is modified the decryption won't work), but isn't standardised. It's an interesting idea, but it's a very long way from any significant deployment.

DNSSEC only does the last of the three. It is intended to provide an end to end cryptographic proof that the data received by the DNS client is identical to that contained in the authoritative server, regardless of how many recursive resolvers were involved.

From the Wikipedia page ID-based encryption appears to be about securing messages between two parties, and not about signing data. If that's correct, it's closer to TSIG or DNScurve than to DNSSEC.

Alnitak  2010-10-06 14:17:08
The brief given to me was as follows: "The idea here is to do the same using IBE instead, so for example the IP address of the machine could be used to derive the public key of the machine that wishes to update its DNS record. If one can quickly and securely update the DNS record then this has implications for protocols like Mobile IP that require frequent routing updates due to the mobility of the nodes in the system."From that and discussions, it's not really any of your three options. I'm in over my head here and am going to forget about the project. Thanks.
Karl  2010-10-06 19:25:53
Have a look at GSS-TSIG (RFC 3645) - this sounds closest to what you're looking for. The normal problem with TSIG is that both ends must pre-agree a shared secret. Having a more generic dynamic method would be A Good Thing(tm).
Alnitak  2010-10-06 21:43:22

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords