Spelling suggestions: "subject:"60sec"" "subject:"50sec""
1 |
PowerDNS serverio administravimo sistemos Poweradmin galimybių praplėtimas užtikrinant DNSSEC palaikymą / Possibilities Expansion of PowerDNS Server Administration System Poweradmin Ensuring DNSSEC SupportGirkantas, Edmondas 16 July 2014 (has links)
Šiame darbe analizuojamas DNSSEC protokolas, jo privalumai bei trūkumai, diegimas pasauliniu mąstu. Darbo metu buvo praplėsta egzistuojanti administravimo panelė pridedant DNSSEC palaikymą. Papildytoje sistemoje galima apsaugoti kuriamas bei esamas DNS zonas, valdyti šifravimo raktus. Taip pat pateiktos bendros rekomendacijos ir pastabos kaip sėkmingai naudoti šį DNS saugumo išplėtimą. / The main subject of this work was analysis of DNSSEC protocol, what are the pros and cons of it, overview of global deployment. Support of this protocol was added to an existing administration tool. Now it is possible to secure new and existing DNS zones, to do management of cryptographical keys. Also general recommendations and notes were given for successful usage of this DNS security extension.
|
2 |
DNSSEC Meets the Frontend: Usability Study of DNSSEC Status Indicator in BrowserKarren, Tyler 18 October 2023 (has links) (PDF)
DNSSEC ensures the integrity of DNS data. DNSSEC however is not visible to the end user. We designed a DNSSEC status indicator tool that shows the DNSSEC validation statuses of the host being visited in the Web browser. We then conducted a usability study to evaluate the tool, gathering user behavior and feedback from 30 participants. The usability study revealed that users were able to make security conscious decisions based on context of the task, but the tool struggled to communicate that it was sharing the status of the validity of the name-to-IP-address resolution of visited websites. We hope that this work will help with the deployment of DNSSEC and ultimately contribute to a safer Internet with more knowledgeable users.
|
3 |
Naming and security in a mobile, multihomed and multiple interfaces environement / Nommage et sécurité dans une environnement mobile, multihomé et à interfaces multiplesMigault, Daniel 26 September 2012 (has links)
Une des problématiques majeure de sécurité pour les opérateur est de permettre à ses utilisateurs de maintenir la sécurité d’une communication même au travers d’un réseau qui ne soit pas de confiance. Pour l’utilisateur, une communication est établie entre deux identifiants, et ceci indépendamment des mouvements et changements de réseau de l’utilisateur. Autrement dit, l’opérateur doit permettre cette communication entre identifiants possible grâce au système DNS, et fournir les mécanismes réseaux nécessaires afin que la communication puisse être maintenue quand le client bouge et change d’adresse. Dans cette thèse nous nous somme concentrés sur les aspects sécurités et plus exactement: - DNSSEC: DNSSEC définit comme sécuriser la résolution d’un nom de domaine. La sécurité a un coût que nous commençons par évaluer avant de proposer des architectures permettant aux ISPs de migrer des plateformes de Service de Résolution de DNS vers DNSSEC. - IPsec: IPsec définit comment sécuriser une communication IP. Dans cette thèse nous définissons une extension qui permet à un utilisateur de maintenir une communication sécurisée par IPsec pour un terminal mobile, Multihomé, et avec de Multiples Interfaces / ISPs are concerned about providing and maintaining the level of security of its End User’s communications. A communication is initiated by the End User with a name, and goes on by exchanging packets between two IP addresses. In this thesis, we focused our attention on two main points: (1) providing a secure Naming service, and (2) making IPsec communication resilient to IP address modification, addition or lost of an interface. We designed MOBIKE-X for that purpose and propose it as a standard at the IETF
|
4 |
Kartläggning av DNSSEC-kvalitet hos DNSSEC-säkrade se-domäner / Mapping the DNSSEC Quality of DNSSEC-secured .se DomainsIdo, Thomas January 2023 (has links)
Sveriges toppdomän, .se, drivs av Internetstiftelsen som också främjar användningen av DNSSEC, vilket är ett tillägg till protokollet DNS (Domännamnsystemet) som ger ett säkerhetsskydd till DNS-poster. Internetstiftelsen har god kunskap om antalet DNSSEC-säkrade domäner under .se, men ingen kunskap om dessa är uppsatta i enlighet med rekommendationerna för DNSSEC. I detta arbete görs en kartläggning av DNSSEC-kvaliteten hos underdomäner till .se-domänen, som är utpekade som DNSSEC-signerade. Slutsatsen i studien blev att majoriteten av de undersökta domänerna har implementerat DNSSEC i enlighet med DNS-standarder och rekommendationer. Däremot finns ett litet antal domäner som visar brister när det gäller DNSSEC. Denna kartläggning visar alltså att majoriteten av .se-domänerna har en god DNSSEC-kvalitet, men att det finns utrymme för förbättringar för att säkerställa en högre säkerhetsnivå för samtliga domäner. / Sweden's top-level domain, .se, is operated by Internetstiftelsen (The Swedish Internet Foundation), which also promotes the use of DNSSEC, an extension to the DNS (Domain Name System) protocol that provides security protection to DNS records. Internetstiftelsen has good knowledge of the number of DNSSEC-secured domains, but no knowledge of whether they are set up in accordance with DNSSEC recommendations. This study maps the DNSSEC quality of subdomains to the .se domain, which are designated as DNSSEC-signed by the .se domain. The conclusion of the study is that the majority of the examined domains have implemented DNSSEC in accordance with DNS standards and recommendations. However, there are a small number of domains that show deficiencies in DNSSEC. This mapping thus shows that the majority of .se domains have good DNSSEC quality, but that there is room for improvement to ensure a higher level of security for all domains.
|
5 |
Monitoring DNS serverů domén druhé úrovně / Monitoring of SLD DNS serversŠťastný, Petr January 2011 (has links)
This publication directly follows the bachelor thesis. It contains necessary theory of HTTP, SMTP and some other protocols and services. This knowledge is then used to draw a methodology to build additional tests to verify availability and functionality of basic Internet services of a domain name. This methodology is then implemented as an application that uses distributed processing to analyse a large number of domains. Obtained results are then compiled into statistical outputs. One chapter is also devoted to overview of the attacks on DNS and security options of DNS servers and domain records.
|
6 |
Deployment and analysis of DKIM with DNSSEC / Driftsättning och analys av DKIM med DNSSECBondesson, Rickard January 2008 (has links)
<p>As the email system is widely used as a communication channel, and often is crucial for the performance of organizations, it is important that users can trust the content of what is being delivered to them. A standard called <em>DomainKeys Identified Mail</em> (DKIM) has been developed by the IETF to solve the problem with authentication and integrity, by using digital signatures. This master's thesis goal is to evaluate the solution where an implementation of DKIM is extended with DNSSEC validation. DNSSEC is a solution which secures, among other, the mapping between IP addresses and domain names. The implementation of DKIM is deployed and evaluated with function testing, domain testing, threat analysis, and interoperability testing.DKIM does not need any new public-key infrastructure, thus inflicting less cost on the deployment compared with other cryptographic solutions such as S/MIME and PGP. We recommended to use DKIM together with DNSSEC to secure the transportation of the DKIM public key. The upcoming standard ADSP can inform the recipient of whether a domain is signing its email or not and thereby a possibility to detect any unauthorized signature removal. A further problem is that mailing lists often manipulate the email, thus breaking the signature. We therefore recommend to send email directly to the recipient or active DKIM signing on the mailing lists.</p>
|
7 |
DNSSEC -- authenticated denial of existence : understanding zone enumerationVasant, Sachin 22 January 2016 (has links)
Over the years DNS has proved to be an integral part of the internet infracstructure. For our purposes, DNS is simply a large scale distributed database that maps human-readable domain names to network recognizable IP addresses. Unfortunately, authenticity of responses was not integral to the initial DNS design. This lead to the possibility of a very practical forgery of responses as displayed by Kaminsky's cache poisoning attacks. DNSSEC is primarily designed as a security extension of DNS, that guarantees authenticity of DNS responses.
To answer invalid queries in an authenticated manner, DNSSEC initially employed the NSEC records. To its credit, NSEC allowed nameservers to precompute signatures for such negative responses offline. As a result, NSEC is highly scalable while preserving the authenticity/correctness of responses. But, while doing so, NSEC leaks domains from nameserver's zone. This is called zone enumeration.
To counter zone enumeration, NSEC3 was deployed. It is a hashed authenticated denial of existence of mechanism,i.e., it reveals the hashes of the zones in a domain. NSEC3 yet allows offline signatures, and is scalable like NSEC. Unfortunately, hashes are vulnerable to dictionary attacks a property exploited by conventional NSEC3 zone enumeration tool, e.g., nsec3walkertool.
This leads us to investigate the possibility of constructing an authenticated denial of existence of mechanism which yet allows offline cryptography. To do so, we first define the security goals of a "secure" DNSSEC mechanism in terms of an Authenticated Database System (ADS) with additional goals of privacy, that we define. Any protocol that achieves these goals, maintains the integrity of DNSSEC responses and prevents zone enumeration. We then show that any protocol that achieves such security goals, can be used to construct weak signatures that prevent selective forgeries. This construction, though a strong indication, doesn't confirm the impossibility of generating proofs offline.
To confirm that such proofs aren't possible offline, we show attacks of zone enumeration on two large classes of proofs. The provers/responders in this case either repeat proofs non-negligibly often or select proofs as subsets from a pre-computed set of proof elements. The attackers we present use a dictionary of all elements that are likely to occur in the database/zone. The attackers prune the said dictionary to obtain the set of all elements in the database (along with a few additional elements that are erroneously classified to be in the database). These attackers minimize the number of queries made to such responders and are loosely based on the paradigm of Probably Approximately Correct learning as introduced by Valiant.
|
8 |
Deployment and analysis of DKIM with DNSSEC / Driftsättning och analys av DKIM med DNSSECBondesson, Rickard January 2008 (has links)
As the email system is widely used as a communication channel, and often is crucial for the performance of organizations, it is important that users can trust the content of what is being delivered to them. A standard called DomainKeys Identified Mail (DKIM) has been developed by the IETF to solve the problem with authentication and integrity, by using digital signatures. This master's thesis goal is to evaluate the solution where an implementation of DKIM is extended with DNSSEC validation. DNSSEC is a solution which secures, among other, the mapping between IP addresses and domain names. The implementation of DKIM is deployed and evaluated with function testing, domain testing, threat analysis, and interoperability testing.DKIM does not need any new public-key infrastructure, thus inflicting less cost on the deployment compared with other cryptographic solutions such as S/MIME and PGP. We recommended to use DKIM together with DNSSEC to secure the transportation of the DKIM public key. The upcoming standard ADSP can inform the recipient of whether a domain is signing its email or not and thereby a possibility to detect any unauthorized signature removal. A further problem is that mailing lists often manipulate the email, thus breaking the signature. We therefore recommend to send email directly to the recipient or active DKIM signing on the mailing lists.
|
9 |
Establishing DANE TLSA Deployment Levels Among Swedish Second Level DomainsSandelin, Rikard January 2017 (has links)
Domain Based Authentication of Named Entities (DANE) is an Internet Engineering Task Force (IETF) standard released in 2012 intended to complement or in some cases replace the current Public Key Infrastructure (PKI) model. The current PKI model uses Transport Layer Security (TLS) certificates issued by Certificate Authorities (CA) binding domain names to public key. These CAs act as trust anchors during the certificate validation process. Web browsers and other TLS supported applications have large lists of trusted CA public keys. If one of these trusted CAs are compromised the whole system is compromised. DANE uses the Domain Name System (DNS) to publish TLS certificate information and create certificate associations to domain names. DANE relies on DNS Security Extensions (DNSSEC) for authentication and message integrity. Using the DNS root as a single trust anchor instead of the many CA trust anchors the attack surface is drastically reduced.In this study a quantitative survey among Swedish DNSSEC signed Second Level Domains (SLD) is performed with the aim to establish the DANE TLSA deployment level among the SLDs in Top Level Domain (TLD) .se.The results show that 686 471 of the Swedish SLDs have been DNSSEC signed which is approximately 49% of all Swedish SLDs. The number of domains that have deployed DANE is very low, with only 79 SLD found to have DANE TLSA resource records in DNS. The total number of DANE TLSA resource records were 175 and the most common service used with DANE TLSA was HTTPS on port 443 which was 62% of all DANE TLSA resource records found. The most common certificate usage field setting was three, domain issued certificates.
|
10 |
Robust internetinfrastruktur med DNSSEC och IPv6 : En studie av DNSSEC- och IPv6-implementationen hos utvalda organisationer i SverigeEklund, Magnus, Hedblom, Per January 2015 (has links)
Domännamnssystemet DNS är en vital och ofrånkomlig del av internet. Det är dock sårbart för attacker. DNSSEC är ett sätt att minska sårbarheten hos DNS. I detta examensarbete har data om ett antal domäner samlats in med hjälp av Zonemaster och domain information groper för att sedan bearbetas med hjälp av bash-skript och java-kod. Detta data har sedan analyserats. Resultatet visar att användandet av och statusen på DNSSEC-implementeringen hos flera av de undersökta domänerna är bristfällig och lämnar utrymme för förbättringar.
|
Page generated in 0.0317 seconds