Domain Name System Security Extensions (DNSSEC) DNS safety expansion, is provided by IETF a series of DNS safe authentication mechanism for RFC2535). It provides a source identification and data integrity expansion, but not to ensure availability, encryption sex and confirmed domain name does not exist.
If want to communicate via the Internet others, it must in computer type an address (by name or digital representation). This address must be unique, so that the computer can determine the position of each other. ICANN responsible for globally coordinated such unique identifiers. If no such coordination, we wouldn't have unified global Internet. In type in the name, must first by a system will be the name is converted to a digital, and then to establish connections. This System is called Domain Name System (Domain Name System, DNS), it will be similar to the WWW. Icann. Org names into digital, these figures called the Internet Protocol (IP) Protocol, Internet address. ICANN for addressing coordinate system to ensure that all addresses are unique.
Recently, people in DNS found some loopholes, and attacker can use these loopholes hijacked a name on the Internet use search someone or a site process. Such attacks to achieve control of conversation with carrying out an operation, such as the user to enter hijacker set yourself deceptive site in order to collect user account and password.
Because these bugs present, people are more and more hope to introduce a type called DNS Security extension (DNS) DNSSEC Extensions, Security to protect the Internet technology, this part of the infrastructure.
The following questions and answers DNSSEC tries to explain what and why says its implementation is very important.
1) first, what is the root area?
Will people can remember the DNS domain name for a computer to the use of digital conversion in search of its destination (used to locate a somewhat similar to the telephone directory) telephone number. It phases complete the job. It "search" first place is a catalogue service's top domain, namely "the root zone". With the WWW. Google. Com, for example, your computer will "inquiry" root regional directory (namely top domains) where to find relevant ". Com "information. In reply, it will ask by the root directory logo of "area. Com" directory service where to find relevant. Google. Com (2) of information, and finally asked by ".com "logo of Google j j com directory service WWW. Google. Com address is what (3). In the implementation of this process after (the process almost instantaneous finish), your computer can obtain complete address. These directory services respectively by different entity I carry management: Google. Com by Google management, ".com "by VeriSign j Corporation management (other top domain by other organization management), and root area by ICANN management.
2) why we need "to root area of signature"?
Through will recently in DNS found in the loopholes and technical progress, combined with the attacker has greatly shortened hijacked DNS lookup process of any one of the steps needed time, which can quickly made of conversation control to implement a malicious user operations (e.g., into the hijacker set yourself deceptive site in order to collect user account and password). If want to eliminate this loophole in the long run, the only solution is end-to-end form deploy a called DNS Security extension (DNS Security DNSSEC) Security Extensions, agreement.
3) what is DNSSEC? One of the purposes of DNSSEC technology development is based on data digital "signature" against such attacks, thus make you sure data effectively. But, in order to eliminate the hole from Internet, must be in from the root area to a final domain (for example, WWW. Icann. Org) finding process for each step of the deployment of the technology. The root area of signature (in the root DNSSEC) is a regional deployment course of the necessary steps. Need explanation is, this technology is not the data encryption. It just verify your visit the site address is effective.
4) what factors can stop addressing chain of all other part USES DNSSEC?
What factors are unable to stop. However, like any depend on other parts to the role of chain is same, if you wrong root area of signature, will there are big defects. Namely, addressing chain of some parts can trust, and other parts may not be able to trust.
5) for ordinary users, this technology will be how to improve safety?
Fully deployed DNSSEC can ensure end users connected to specific domain correspond to actual web site or other services. Although this will not solve all of the Internet security problems, but it does protect the Internet a key part of the (namely directory search), thus to SSL (HTTPS:) and other protection "conversation" technical complements, and for the development of stand-to safety improvement technology provides the platform.
6) in the root area to sign, actual what happened?
Use DNSSEC "to root area to sign the", will be in root regional documents for each top-level domain (add a few records. Added content is a key, and a test this key valid signature.
DNSSEC for record provides validation approaches. It will not be encrypted data or change the data management, and with the current DNS and application "backwards compatible". This means that it will not change the Internet addressing system based on existing agreement. It will be a series of digital signature combined to DNS hierarchical structure and makes each level has its own signature generate the keys. This means, for similar to the WWW. Icann. Org domain, this path of every organisation must to below its organization decryption key signature. For example,. Org to icann. Org keys to sign on. Org, root area of decryption key signature. In the validation process, DNSSEC along the trust chain all the way back to the root zone, and automatically using the path of "father" key verification "son" key. Because each key can be improved by it's a key verification, so the whole domain verified the only required keys are the topmost parent key (namely root key).
However, the hierarchical structure means that, even to root area of the signature, across all domain names completely deployment DNSSEC will also is a time-consuming process, because the following each domain by their respective also require the operator to sign, so as to accomplish a specific trust chain. The root area to sign is just a beginning. But it is of vital importance. Recently, TLD operators in the region has accelerated (. J bg, se, j j j cz, br, pr do now account. The UK, j j, ca and other looming area) on the pace of the work on the DNSSEC deployment, and other operators are also expected to do so.
7) root area is how to manage files?
The root of management from the following four regional entity jointly completed:
I) ICANN perform "IANA" function, this is a business department with the United States has signed a contract of international non-profit corporation. IANA said Internet Numbers distribution institution (Internet Numbers Assigned Authority). ICANN receiving and review from the top field (TLD) operator (for example, ".com ") information.
Ii) National Telecommunications Administration center (National Telecommunications and Information under the NTIA) to root area, the change of accredit, this is the us department of commerce within a government in China.
Iii) VeriSign is a u.s.-based for-profit companies, the company signed a contract with the us government, responsible for use by providing and validation and ICANN by the us department of commerce authorized change information to root area of editing, and contains information about where to find relevant TLD (for example, ".com ") information root distribution; regional documents
Iv) a group of international root server operators, these operators volunteer operation and have all over the world have more than 200 sets of servers, and these servers is responsible for delivering all over the Internet from root root of regional file information. According to the Numbers, the root server operators for:
A) VeriSign enabled Services for Global optimisation techniques,
B) is located at the university of southern California (USC) of information science research Institute (Informati o n Sciences Institute);
C) Cogent Communications,
D) the university of Maryland,
E) the NASA Ames Research Center (NASA Ames true Center); F) Internet by telephone under 0120-2714540 Consortium Inc.,
G), U.S. defense Network Information Center (U.S.); a Information Center DOD
H) American Army Research laboratory (U.S. Army true Lab);
I) Autonomica/NORDUnet (Sweden);
J) VeriSign enabled Services for Global optimisation techniques,
K) 5 NCC (Holland);
L) ICANN;
M) WIDE bought (Japan).
8) why by a group of information for review and editing and signature for DNSSEC safety is very important?
For DNSSEC speaking, trust each link in the chain of function are based on the user for this link review key and other organization that has the DNS info of trust. In order to ensure the integrity of the information and maintenance of the trust, while the data validation after must take immediate measures to prevent its mistakes (whether malicious or accidental) -- in cross organization boundary exchange important data, at any moment, introduce errors. Let the same organization and system will be validated materials directly into signed areas, can keep trust, until release date. This way is more secure.
As people for DNSSEC will bring the DNS safety more confidence, will be for verification and identify TLD from ICANN trust support materials acquired during the process of trust lasted until the root already signed regional file are becoming increasingly important.
9) in DNSSEC, what is the KSK and ZSK?
KSK says Key signature Key (Key specific Signing Key specific) (a long-term Key), ZSK said regional signature Key (Zone) (Signing Key specific a short-term Key). If I had enough time and data, encryption key ultimately will be cracked. For use in DNSSECv asymmetric-key or public key cryptography is concerned, this means that an attacker can through strong attack methods or other methods to determine the public-key - private-key is the private key part (this part used to create on the effectiveness of the DNS records verified signature), so that DNSSEC provides protection failure. DNSSEC use short-term key (namely regional signature key (ZSK) to regular calculation DNS records signature while using the long-term key (namely key signature key (KSK)) to calculate ZSK signature, in order to make it can be verified, thus foiled the cracked attempt. ZSK is frequently change or rolling, in order to make the attacker hard "guess", and the longer term KSK is much more over a long period of change (currently only after the best practices in years for the unit set at this time paragraph). Because of ZSK KSK to sign and ZSK for DNS records, so just have to sign the KSK can verify the area of the DNS records. It is authorized Signer (DS) record Delegation Signer, "father" transfer to form a regional KSK examples. Father area (for example, root area) to use its own, by its own KSK signature of ZSK pairs area (for example,. Org) DS records for signature.
This means that if DNSSEC was completely using, the root area by DNSSEC KSK will be each domain (or validation stand-to development application) part of the validation of the chain.
10) who manage these keys?
According to the proposal, ICANN will remain the key infrastructure, but for practical KSK proofs generated by foreign hold. To make this process in the global fully accept, this is a very important factor. ICANN not each entity in holding credentials should be adopted when the specific solutions Suggestions, but think, like all of the above problem, as the solution of the problems should be solicited public opinion, and by the us department of commerce, make a decision.
No comments:
Post a Comment