As a critical Internet infrastructure,domain name system(DNS)protects the authenticity and integrity of domain resource records with the introduction of security extensions(DNSSEC).DNSSEC builds a single-center and hi...As a critical Internet infrastructure,domain name system(DNS)protects the authenticity and integrity of domain resource records with the introduction of security extensions(DNSSEC).DNSSEC builds a single-center and hierarchical resource authentication architecture,which brings management convenience but places the DNS at risk from a single point of failure.When the root key suffers a leak or misconfiguration,top level domain(TLD)authority cannot independently protect the authenticity of TLD data in the root zone.In this paper,we propose self-certificating root,a lightweight security enhancement mechanism of root zone compatible with DNS/DNSSEC protocol.By adding the TLD public key and signature of the glue records to the root zone,this mechanism enables the TLD authority to certify the self-submitted data in the root zone and protects the TLD authority from the risk of root key failure.This mechanism is implemented on an open-source software,namely,Berkeley Internet Name Domain(BIND),and evaluated in terms of performance,compatibility,and effectiveness.Evaluation results show that the proposed mechanism enables the resolver that only supports DNS/DNSSEC to authenticate the root zone TLD data effectively with minimal performance difference.展开更多
基金This work is partially supported by the National Key Research and Development Program(2018YFB1800702).
文摘As a critical Internet infrastructure,domain name system(DNS)protects the authenticity and integrity of domain resource records with the introduction of security extensions(DNSSEC).DNSSEC builds a single-center and hierarchical resource authentication architecture,which brings management convenience but places the DNS at risk from a single point of failure.When the root key suffers a leak or misconfiguration,top level domain(TLD)authority cannot independently protect the authenticity of TLD data in the root zone.In this paper,we propose self-certificating root,a lightweight security enhancement mechanism of root zone compatible with DNS/DNSSEC protocol.By adding the TLD public key and signature of the glue records to the root zone,this mechanism enables the TLD authority to certify the self-submitted data in the root zone and protects the TLD authority from the risk of root key failure.This mechanism is implemented on an open-source software,namely,Berkeley Internet Name Domain(BIND),and evaluated in terms of performance,compatibility,and effectiveness.Evaluation results show that the proposed mechanism enables the resolver that only supports DNS/DNSSEC to authenticate the root zone TLD data effectively with minimal performance difference.
