International Journal of Network Security, Vol.20, No.1, PP.19-24, Jan. 2018 (DOI: 10.6633/IJNS.201801.20(1).03) 19 New Protocol E-DNSSEC to Enhance DNSSEC Security Kaouthar Chetioui, Ghizlane Orhanou, and Said El Hajji (Corresponding author: Kaouthar Chetioui) Laboratory of Mathematics, Computing and Applications, Faculty of Science, Mohammed V University in Rabat BP. 1014 RP, Rabat, Morocco (Email: kaoutharchetioui@gmail.com) (Received Sep. 28, 2016; revised and accepted Jan. 15, 2017) Abstract The Domain Name System (DNS) is an essential compo- nent of the internet infrastructure. Due to its importance, securing DNS becomes a necessity for current and future networks. DNSSEC, the extended version of DNS has been developed in order to provide security services. Un- fortunately, DNSSEC doesn’t offer query privacy; we can see all queries sent to resolver in clear. In this paper, we evaluate the security of DNS and DNSSEC protocols, and we would see clearly that DNSSEC is insufficient to secure DNS protocol; it doesn’t ensure confidentiality to data transiting over the network. That’s why, we propose a new method named ’E-DNSSEC’ which aims to add, in addition to DNSSEC security features, queries confi- dentiality, by encrypting them between DNSSEC servers. After that, an implementation of E-DNSSEC protocol will be given. Finally, we conclude by an analysis to prove the positive impact of this method to enhance DNSSEC se- curity. Keywords: Confidentiality; DNSSEC; E-DNSSEC 1 Introduction DNS is a distributed database globally accessible using a request/response architecture. The DNS protocol resolves domain names readable by humans to (IP) Internet Pro- tocol addresses. So, the DNS resolution is the first step in any network communication. It is therefore essential that the DNS infrastructure be robust and secured [5]. That’s why, we need to enhance DNS protocol security to be able to ensure at least authentication, integrity and confidentiality. TSIG (Transaction Signatures) defined in RFC 2845 [10] is a solution used in order to ensure the integrity of channels; it allows two machines talking DNS to check the identity of the caller. Unfortunately, this mechanism does not authenticate source data, only it secures trans- mission data between two parties who share the same se- cret key. The original source data can come from a com- promised zone master or can be corrupted during tran- sit from an authentic zone master to some ”caching for- warder” [10]. These signature mechanisms are reserved only to protect zone transfers and dynamic update mes- sages. So, TSIG is mostly used between master and slave DNS servers to secure zone transfers and today almost all transfers between authoritative severs are protected by TSIG. DNSSEC (DNS Security Extension) defined in [RFC4033-4035], is proposed and standardized in 1997 [3], it solves some security issues related to DNS protocol. DNSSEC secures data sent by DNS servers; it ensures two security objectives namely authentication and integrity of source of data. These extensions use cryptography to sign DNS records and put the signature in DNS. Thus, a suspi- cious DNS client can retrieve the signature and using the key of the server, it can check if data is correct. DNSSEC allows delegation of signatures and the register of a TLD (Top-Level Domain) can announce that this subdomain is signed. By using DNSSEC, we can also build a chain of trust from the root server. Despite of services provided by DNSSEC protocol, it has some gaps which make its deployment slowed: • The compatibility with the existent equipment and software; • The deployment of DNSSEC in a wide range of DNS servers and DNS resolvers (clients); • The protection of data transiting in the network that ensures confidentiality service; When communications requires private channels, SSH or IPsec are used to interact with DNS. These technologies are considered as there is no DNS solutions proposed for this case. But, all of them suffer from different security problems [4]. In this paper, we propose a new method E-DNSSEC which uses cryptography to encrypt DNSSEC query tran- siting across the network. This method aims to add