| Summary: | 碩士 === 國立交通大學 === 資訊科學與工程研究所 === 100 === Domain Name System security extensions (DNSSEC) is designed to protect DNS. With digital signatures, DNSSEC provides data origin authentication and data integrity. However, DNSSEC will impose additional communication cost and hence affect the efficiency of Resource Record (RR) update. Another problem existing in DNS is RR consistency, which is also inherited by DNSSEC. The consistency problem gets even worse in DNSSEC than in conventional DNS since RR is extended to store the public key of an authoritative DNSSEC server. Inconsistency of the RR leads to a broken trust relation. The two aforementioned problems are highly related. An attacker can increase the DNSKEY RR inconsistent time period by launching the replay attack. Even if the authoritative server posted a new DNSKEY RR, an attacker can deceive a user that the old key is still valid until the signature expires. In this thesis, we propose an efficient DNSSEC resource record update scheme which has lower communication cost than DNSSEC and better RR consistency. This scheme can mitigate the DNSKEY RR trust relationship breakdown caused by the domain service failure. Even if the attacker controls DNSKEY, the scheme still can limit the replay attack. The scheme is compatible with the DNSSEC standard, and can prevent an attacker to circumvent it.
|
|---|
