These few days, I tried to recapitulate my understanding on NSEC of DNSSEC because I know very clear that I am weak in NSEC concept. The basic question is why should NSEC be implemented ? NSEC at least doubles the file size of an entire zone which eats up a lot of memory in the authoritative name server. Reading documentation is really boring and I have to think practically from a hacker angle.
By means of cache poisoning, a hacker can redirect a bank website to a different IP address. Suppose, if the hacker finds that it is too difficult to make the fake bank site close resemble the original bank site and the lack of digital certificate looks suspicious, the fake bank site would be easily recognized by victims. In that case, the hacker can inject fake answer such as www.hsbc.com.hk does not exist in a resolver. This is a direct denial of service against the bank. In order to avoid such scenario, NSEC plays an important part. If a host name does not exist, resolver will get the existent NSEC records in canonical form close to www.hsbc.com.hk. Of course, at this instance, it lists that www.hsbc.com.hk is in existence and the fake answer of www.hsbc.com.hk in cache should not be returned to clients. Furthermore, the resolver should then proceed to get the proper answer.
No comments:
Post a Comment