A new internet naming system

In this thesis I describe my research activities and results of the last 4 years. I also provide an outlook and guidelines on how to proceed with our project, that we named SEDNS SecurityEnhanced Domain Name System. This project’s ambitions are to complement DNS, the Domain Name System, in a way that allows us to keep using it in the future. The main reason for this strategy is, that it has proven to be difficult to change any part of the Internet infrastructure, such as parts of the protocols stack or well established Internet authorities, like ICANN or IANA. The main problems of DNS are twofold. (1) The DNS protocol does not contain any measures to prevent data from being tampered with. (2) Furthermore, it is difficult to configure DNS correctly since most of the configuration is done within the DNS data itself, e.g., delegating authority. It is well known that DNS problems lead to reduced availability of Internet-based services in many different ways. In this thesis, I present four main results. All of them contribute to improvements and deeper understanding of DNS’ dependability issues. First, I discuss, how well established cryptographic tools can be used to enhance DNS’ security without getting into the same problems that prevent DNSSEC from being globally deployed. These problems are explained as well. This is an important topic for the Internet and DNS community, since at the moment most of the protocol improvements are connected to DNSSEC. Second, I thoroughly discuss the technique that was used in the recent years to overcome any problems related to client-server architectures, i.e., peer-to-peer systems. Such solutions have been proposed to improve DNS’ availability and reduce configuration effort. I show, that those systems do not keep up with the expectations, neither as client side tools nor as server infrastructure replacement. To reach this conclusion, a novel DHT scheme has been developed. The evaluation of it is shown as well. Third, results of our DNS data mining show that it is useful to improve the quality of DNS data and therefore, to protect clients from malicious or erroneous information. And fourth, an outlook is presented, which combines all the results of the first three points to suggest an architecture that indeed can improve our supply with DNS data, omitting the shortcomings of the classical client-server-architecture and its peer-to-peer replacements. Note, that although the development of future DNS standards and protocols is subject to political struggle, e.g., on whether or not an international organization should maintain the root zone instead of the USA, this thesis focuses only on technical aspects.