Research On Key Technique Of Self-Certifying DNS Root Zone

Domain name system(DNS)provides domain name resolution service for Internet users,but DNS protocol lacks the guarantee mechanism of data authenticity and integrity.It faces security problems such as DNS spoofing,Distributed Denial of Service(DDOS).In 1997,the Domain Name System Security Extensions(DNSSEC)was proposed to provide source authentication and integrity checking of resource records.However,there is a risk of abuse of root authority in the central hierarchical architecture design of domain name system.The root authority in the center of domain name system controls the power of distribution and authentication of top-level domain names.DNS lacks the mechanism of restricting root authority in technology.Once root authority does evil,it will threaten the security resolution of top-level domain names and all domains below in the domain name system.This kind of security risk is based on the premise that the root authority is not credible.DNSSEC deployment can not avoid this risk.In view of the risk of abuse of root authority in domain name system,this paper proposes a DNSSEC-based root zone resolution self-certification scheme for domain name system,which is implemented by modifying the open source DNS software Berkeley Internet Name Domain(BIND).In order to achieve secure domain name resolution,the scheme proposes glue signature mechanism and public key nail mechanism.Top-level domain authority submits an authentication chain from top-level domain public key to glue signature to root zone.Top-level domain public key is stored in parser by first-use trust.When the user queries the top-level domain to the root server,the parser uses the root trust anchor and the top-level domain authoritative public key to verify the glue signature authentication chain.In order to achieve secure key updating,the scheme proposes a double signature mechanism.When the parser verifies the updated top-level domain key in the root zone,besides the trust root anchor,it also needs the trust from the old key in the top-level domain authority.If the root authority tampers with the top-level glue record in the root zone file,the parser can verify the signature by using the public key to find that the data has been tampered with.Block chain technology provides a de-centralized secure data storage method by building consensus among distributed nodes.Based on block chain,this paper proposes a root parsing self-certification scheme for domain name system.In block chain network,root authoritative node and top-level domain authoritative node jointly maintain the root file stored in distributed books and files based on privilege control mechanism.The glue signature DNSSEC authentication chain that stores all the top-level domains.Because the operation of each node in block chain network requires the consent of other nodes before it takes effect,the abuse of root authority and DDOS attack are avoided.This paper implements a root zone parsing self-certification system on open source DNS server BIND and block chain platform hyperleger fabric respectively,and carries out parsing test and performance test.The GUI automation technology is used to test the parsing and accessing of all 1563 top-level domains configurated by the top ten browsers in China.The average query time and system throughput of the top-level domain are tested in hyperleger fabric and BIND respectively.The test results show that the average query time and system throughput of domain name query in hyperleger fabric are significantly reduced compared with BIND.