DNS zones revisited
نویسندگان
چکیده
Recent research suggests that, due to misconfiguration, DNS reliability and performance is not always as good as it should be. This paper therefore investigates the correct configuration of DNS zones, by checking if main configuration requirements, recommendations and bestpractices rules have been followed. Our research shows that almost one out of four zones fail to pass one or more of our tests. Our study reveals an interesting correlation: if the number of name servers for a single zone exceeds a certain number, reliability and performance usually decreases.
منابع مشابه
Domain Name System Security Extensions
Extensions to the Domain Name System (DNS) are described that provide data integrity and authentication to security aware resolvers or applications through the use of cryptographic digital signatures. These digital signatures are included in secured zones as resource records. Security can still be provided even through non-security aware DNS servers in many cases. The extensions also provide fo...
متن کاملGDS Resource Record: Generalization ofthe Delegation Signer Model
Domain Name System Security Extensions (DNSSEC) architecture is based on public-key cryptography. A secure DNS zone has one or more keys to sign its resource records in order to provide two security services: data integrity and authentication. These services allow to protect DNS transactions and permit the detection of attacks on DNS. The DNSSEC validation process is based on the establishment ...
متن کاملObserving DNSSEC validation in the wild
DNSSEC protocol deployment has taken place in phases, beginning with protocol development and followed by the signing of top-level zones and early-adopter “leaf” zones. The next phase is to encourage wide-scale validation, as that will improve the overall DNS system and enable new applications. In order to quantify DNSSEC usage for audiences it is important to be able to measure how many zones ...
متن کاملRequirements Related to DNS Security (DNSSEC) Trust Anchor Rollover
Every DNS security-aware resolver must have at least one Trust Anchor to use as the basis for validating responses from DNS signed zones. For various reasons, most DNS security-aware resolvers are expected to have several Trust Anchors. For some operations, manual monitoring and updating of Trust Anchors may be feasible, but many operations will require automated methods for updating Trust Anch...
متن کاملA Simple Approach to DNS DoS Defense
We consider DoS attacks on DNS where attackers flood the nameservers of a zone to disrupt resolution of resource records belonging to the zone and consequently, any of its sub-zones. We argue that a minor change in the caching behavior of DNS resolvers can significantly mitigate the impact of such attacks. In our proposal, DNS resolvers do not completely evict cached records whose TTL has expir...
متن کامل