Take up DNSSEC When Needed
This provides a practical solution for DNSSEC practitioners to speed up deployment with minimal overhead, though it is incremental as it builds on existing DNSSEC technology.
The paper tackles the slow adoption of DNSSEC by proposing a lightweight defense against DNS cache poisoning attacks, where DNS operates normally and switches to DNSSEC mode only when attacks are detected, reducing the DNSSEC query load while maintaining a low cache poisoning success rate.
The threats of caching poisoning attacks largely stimulate the deployment of DNSSEC. Being a strong but demanding cryptographical defense, DNSSEC has its universal adoption predicted to go through a lengthy transition. Thus the DNSSEC practitioners call for a secure yet lightweight solution to speed up DNSSEC deployment while offering an acceptable DNSSEC-like defense. This paper proposes a new defense against cache poisoning attacks, still using but lightly using DNSSEC. In the solution, DNS operates in the DNSSEC-oblivious mode unless a potential attack is detected and triggers a switch to the DNSSEC-aware mode. The performance of the defense is analyzed and validated. The modeling checking results demonstrate that only a small DNSSEC query load is needed to ensure a small enough cache poisoning success rate.