递归侧DNSSEC错误配置检测能力大规模探测分析  

作　　者：刘林晖 涂菲帆 陈勇[2] 左鹏 刘东杰 张银炎 耿光刚 LIU Linhui;TU Feifan;CHEN Yong;ZUO Peng;LIU Dongjie;ZHANG Yinyan;GENG Guanggang(Institute of Cyberspace Security,Jinan University,Guangzhou 510632,China;China Internet Network Information Center,Beijing 100079,China)

机构地区：[1]暨南大学网络空间安全学院,广东广州510632 [2]中国互联网络信息中心,北京100079

出　　处：《网络与信息安全学报》2024年第5期81-94,共14页Chinese Journal of Network and Information Security

基　　金：国家重点研究计划(2022YFB3103000)。

摘　　要：DNSSEC(domain name system security extensions)是一种域名系统(DNS,domain name system)的安全扩展协议,通过为DNS记录添加签名来增加DNS的安全性。域名递归服务器能否有效验证DNSSEC配置的正确性,并且在配置错误时返回相应的错误类型,对保障整个DNS的安全至关重要。为此,基于RFC 8914标准,选择了8种在权威侧可配置的DNSSEC错误类型,并在8个不同的子域分别配置了相应的DNSSEC错误。接下来,面向全球范围内的公共DNS服务器,筛选出其中支持DNSSEC的递归服务器作为探测对象,针对上述8个子域发起解析请求,对探测结果进行了收集、分析及可视化。探测结果表明,对于部分错误,多数支持DNSSEC的递归服务器可以正确地检测出域名的DNSSEC错误配置,并且返回相应的错误类型,如signature_expired、signature_not_valid、RRSIG_missing、DNSKEY_missing等错误。对当前全球范围内重要递归服务器检测DNSSEC错误配置的能力开展了大规模测量分析,可有效指导未来DNSSEC广泛部署中递归侧的能力建设。Domain name system security extensions(DNSSEC)was a secure extension protocol for the domain name system(DNS),which enhanced DNS security by adding signatures to DNS records.It was very important to ensure the security of the entire DNS that the domain name recursive server could effectively verify the correctness of the DNSSEC configuration and return the corresponding error type when the configuration was wrong.For this purpose,building upon the RFC 8914 standard,eight configurable error types were selected and corresponding DNSSEC errors were configured in eight different subdomains.Next,the recursive server supporting DNSSEC was selected as the probe object for the global public DNS server,and the resolution requests were launched for the aforementioned eight subdomains,and the probe results were collected,analyzed,and visualized.Experiments showed that most recursive servers that supported DNSSEC could correctly detect the DNSSEC misconfiguration of domain names and return the corresponding error type for some errors such as signature_expired,signature_not_valid,RRSIG_missing,DNSKEY_missing,and so on.This large-scale detection and analysis provided valuable insights into the capabilities of important recursive servers worldwide in validating DNSSEC configurations,guiding future efforts in enhancing DNSSEC deployment on the recursive side.

关 键 词：域名系统 域名系统安全扩展 错误配置检测 递归服务器 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]