A Client Based DNSSEC Validation System with Adaptive Alert Mechanism Considering Minimal Client Timeout

Yong JIN  Kunitaka KAKOI  Nariyoshi YAMAI  Naoya KITAGAWA  Masahiko TOMOISHI  

IEICE TRANSACTIONS on Information and Systems   Vol.E100-D   No.8   pp.1751-1761
Publication Date: 2017/08/01
Publicized: 2017/05/18
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2016ICP0028
Type of Manuscript: Special Section PAPER (Special Section on Information and Communication System Security)
Category: Internet Security
DNSSEC,  DNSSEC validation,  client based DNSSEC validation,  DNSSEC failure alert,  and DNSSEC timeout alert,  

Full Text: PDF>>
Buy this Article

The widespread usage of computers and communication networks affects people's social activities effectively in terms of intercommunication and the communication generally begins with domain name resolutions which are mainly provided by DNS (Domain Name System). Meanwhile, continuous cyber threats to DNS such as cache poisoning also affects computer networks critically. DNSSEC (DNS Security Extensions) is designed to provide secure name resolution between authoritative zone servers and DNS full resolvers. However high workload of DNSSEC validation on DNS full resolvers and complex key management on authoritative zone servers hinder its wide deployment. Moreover, querying clients use the name resolution results validated on DNS full resolvers, therefore they only get errors when DNSSEC validation fails or times out. In addition, name resolution failure can occur on querying clients due to technical and operational issues of DNSSEC. In this paper, we propose a client based DNSSEC validation system with adaptive alert mechanism considering minimal querying client timeout. The proposed system notifies the user of alert messages with answers even when the DNSSEC validation on the client fails or timeout so that the user can determine how to handle the received answers. We also implemented a prototype system and evaluated the features on a local experimental network as well as in the Internet. The contribution of this article is that the proposed system not only can mitigate the workload of DNS full resolvers but also can cover querying clients with secure name resolution, and by solving the existing operation issues in DNSSEC, it also can promote DNSSEC deployment.