能抵抗區網攻擊的輕量DNSSEC紀錄傳遞方法

Abstract

為了增加名稱伺服器協定的安全，DNSSEC協定用原本的名稱伺服器協定結合公開金鑰系統來達到資料來源認證、資料完整性以及證明不存在網域三個功能。現有的DNSSEC倚賴區域名稱伺服器驗證數位簽章，根據驗證結果再設定”資料已驗證”標號通知使用者。然而，在區域網路內的通訊有可能被攻擊者竄改，這麼一來，即使用了DNSSEC也不能夠保證資料的可信度與完整性。這篇論文提出一個防禦區域網路內的DNS spoofing攻擊的方法。由使用者端進行資料來源的驗證，而不是建立使用者與DNSSEC區域伺服器間安全通道，或是讓區域名稱伺服器再及時產生一次數位簽章。我們的方法主要是將區域名稱伺服器的負擔分散到使用者身上，讓名稱伺服器可以服務更多的使用者。最後我們使用正規證明來確認我們方法的安全性，實驗結果證實我們的方法可以提高安全性的同時，並能保持原本DNSSEC的服務效能水準。

To enhance the security of DNS (Domain Name System), the new standard DNSSEC (DNS security extensions) combines public key cryptosystems and original DNS to provide authenticity, including data origin authentication, data integrity and authenticated denial of existence. In response to a client’s domain name service request, the local DNSSEC server, instead of the client itself, is responsible for digital signature verification of a DNSSEC resource record packet. Due to the lack of integrity mechanism for the DNSSEC response, an attacker can modify without being detected the DNSSEC records transmitted from the local DNSSEC server back to the client. This paper proposed a new resource record distribution scheme to resist DNS spoofing in a local network. In the proposed scheme, the signed DNSSEC resource records are verified by the client, instead of the local DNSSEC server. Neither security tunnel, nor re-signing DNSSEC is needed. Consequently, the computation overhead on the DNSSEC server can be significantly reduced. The security of this proposed method will be formally proved. The performance evaluation shows that the enhanced DNSSEC scheme provides the same level of performance as the original DNSSEC scheme.