高效能域名系統安全擴展資源記錄更新機制

Abstract

域名系統安全擴展標準(DNSSEC: DNS Security Extension)是設計來保護域名系統(DNS: Domain Name System)的。域名系統安全擴展標準藉由數位簽章來提供資料來源認證以及資料完整性。使用域名系統安全擴展會增加通訊消耗，因此影響資源記錄(RR: Resource Record)更新的效率。資源記錄的一致性在域名系統是另一個問題，域名系統安全擴展繼承了這個問題。資源記錄一致性問題發生在域名系統安全擴展比發生在域名系統內更嚴重，因為在域名系統安全擴展中資源記錄提供用來金鑰存取服務。如果金鑰資源記錄(DNSKEY RR)不一致，信任的關係可能被打破，整個網域服務可能會失效。這兩個問題是高度相關的，攻擊者可以藉由發動重送攻擊來延長金鑰不一致的時間。即使權威服務伺服器(Authoritative Server)發布了更新的金鑰資源記錄，攻擊者可以欺騙用戶的舊金鑰資源記錄仍然有效，直到簽章到期。在這篇論文中，我們提出一個高效能域名系統安全擴展資源記錄更新方案，具有較低的通訊成本和較好的資源記錄一致性。此方案可以減低金鑰資源記錄信賴關係破裂引起的網域服務安全問題。即使攻擊者控制了金鑰資源記錄，此方案仍然可以限制重送攻擊的有效時間。此外，這個方案相容於域名系統安全擴展標準，並且能避免攻擊者繞過此機制。

Domain Name System security extensions (DNSSEC) is designed to protect DNS. With digital signatures, DNSSEC provides data origin authentication and data integrity. However, DNSSEC will impose additional communication cost and hence affect the efficiency of Resource Record (RR) update. Another problem existing in DNS is RR consistency, which is also inherited by DNSSEC. The consistency problem gets even worse in DNSSEC than in conventional DNS since RR is extended to store the public key of an authoritative DNSSEC server. Inconsistency of the RR leads to a broken trust relation. The two aforementioned problems are highly related. An attacker can increase the DNSKEY RR inconsistent time period by launching the replay attack. Even if the authoritative server posted a new DNSKEY RR, an attacker can deceive a user that the old key is still valid until the signature expires. In this thesis, we propose an efficient DNSSEC resource record update scheme which has lower communication cost than DNSSEC and better RR consistency. This scheme can mitigate the DNSKEY RR trust relationship breakdown caused by the domain service failure. Even if the attacker controls DNSKEY, the scheme still can limit the replay attack. The scheme is compatible with the DNSSEC standard, and can prevent an attacker to circumvent it.