Vol.63, No.1, 2020, pp.521-536, doi:10.32604/cmc.2020.07982
OPEN ACCESS
ARTICLE
Self-Certificating Root: A Root Zone Security Enhancement Mechanism for DNS
  • Wenfeng Liu1, *, Yu Zhang1, Wenjia Zhang1, Lu Liu1, Hongli Zhang1, Binxing Fang1
1 School of Computer Science and Technology, Harbin Institute of Technology, Harbin, China.
* Corresponding Author: Wenfeng Liu. Email: 15b903031@hit.edu.cn.
Received 17 July 2019; Accepted 02 August 2019; Issue published 30 March 2020
Abstract
As a critical Internet infrastructure, domain name system (DNS) protects the authenticity and integrity of domain resource records with the introduction of security extensions (DNSSEC). DNSSEC builds a single-center and hierarchical resource authentication architecture, which brings management convenience but places the DNS at risk from a single point of failure. When the root key suffers a leak or misconfiguration, top level domain (TLD) authority cannot independently protect the authenticity of TLD data in the root zone. In this paper, we propose self-certificating root, a lightweight security enhancement mechanism of root zone compatible with DNS/DNSSEC protocol. By adding the TLD public key and signature of the glue records to the root zone, this mechanism enables the TLD authority to certify the self-submitted data in the root zone and protects the TLD authority from the risk of root key failure. This mechanism is implemented on an open-source software, namely, Berkeley Internet Name Domain (BIND), and evaluated in terms of performance, compatibility, and effectiveness. Evaluation results show that the proposed mechanism enables the resolver that only supports DNS/DNSSEC to authenticate the root zone TLD data effectively with minimal performance difference.
Keywords
Domain name system, root zone security, single point of failure.
Cite This Article
Liu, W., Zhang, Y., Zhang, W., Liu, L., Zhang, H. et al. (2020). Self-Certificating Root: A Root Zone Security Enhancement Mechanism for DNS. CMC-Computers, Materials & Continua, 63(1), 521–536.
This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.