网络与信息安全学报2024,Vol.10Issue(5):81-94,14.DOI:10.11959/j.issn.2096-109x.2024068
递归侧DNSSEC错误配置检测能力大规模探测分析
Large-scale measurement and analysis on misconfigurations of DNSSEC from recursive side
摘要
Abstract
Domain name system security extensions(DNSSEC)was a secure extension protocol for the domain name system(DNS),which enhanced DNS security by adding signatures to DNS records.It was very important to ensure the security of the entire DNS that the domain name recursive server could effectively verify the correctness of the DNSSEC configuration and return the corresponding error type when the configuration was wrong.For this purpose,building upon the RFC 8914 standard,eight configurable error types were selected and corresponding DNSSEC errors were configured in eight different subdomains.Next,the recursive server supporting DNSSEC was selected as the probe object for the global public DNS server,and the resolution requests were launched for the aforementioned eight subdomains,and the probe results were collected,analyzed,and visualized.Experiments showed that most recursive servers that supported DNSSEC could correctly detect the DNSSEC misconfiguration of domain names and return the corresponding error type for some errors such as signature_expired,signa-ture_not_valid,RRSIG_missing,DNSKEY_missing,and so on.This large-scale detection and analysis provided valuable insights into the capabilities of important recursive servers worldwide in validating DNSSEC configura-tions,guiding future efforts in enhancing DNSSEC deployment on the recursive side.关键词
域名系统/域名系统安全扩展/错误配置检测/递归服务器Key words
DNS/DNSSEC/misconfiguration detection/recursive server分类
信息技术与安全科学引用本文复制引用
刘林晖,涂菲帆,陈勇,左鹏,刘东杰,张银炎,耿光刚..递归侧DNSSEC错误配置检测能力大规模探测分析[J].网络与信息安全学报,2024,10(5):81-94,14.基金项目
国家重点研究计划(2022YFB3103000) The National Key R&D Projeet of China(2022YFB3103000) (2022YFB3103000)
