|
As an effective solution for cache poisoning attack, DNSSEC has been proposed and
standardized. DNSSEC uses public cryptography and guarantees the integrity of DNS
responses between cache DNS server and authoritative DNS server. As shown in this
figure, the authoritative DNS server signs the zone file using its secret key and replies
the corresponding DNS resource records with the signature and the public key to the
cache DNS server. Then, the cache DNS server verifies the signature using the public
key and check the integrity of the DNS response. Although DNSSEC can avoid cache
poisoning attacks but it also cause some issues in terms of workload increase on
cache DNS server and domain name resolution failure in case of DNSSEC validation
failure.
|