A New Internet Naming SystemDISSERTATIONzur Erlangung des akademischen GradesDoktoringenieur (Dr.-Ing.)eingereicht vonDipl.-Inf. Gert Pfeifergeboren am 30.07.1979 in Meissenvorgelegt am 15. April 2009 an derTechnischen Universitat¨ DresdenFakultat¨ InformatikGutachter: Prof. Christof Fetzer, Ph.D. Prof. Pascal Felber, Ph.D.Institut Systemarchitektur Institut d’informatiqueTechnische Universitat¨ Dresden Universite´ de NeuchatelˆTag der Verteidigung: 21. September 2009Dresden, 26. September 2009iiiiiAbstractIn this thesis I describe my research activities and results of the last 4 years. I also provide anoutlook and guidelines on how to proceed with our project, that we named SEDNS - Security-Enhanced Domain Name System. This project’s ambitions are to complement DNS, the DomainName System, in a way that allows us to keep using it in the future. The main reason for thisstrategy is, that it has proven to be difficult to change any part of the Internet infrastructure, suchas parts of the protocols stack or well established Internet authorities, like ICANN or IANA.The main problems of DNS are twofold. (1) The DNS protocol does not contain any measures toprevent data from being tampered with. (2) Furthermore, it is difficult to configure DNS correctlysince most of the configuration is done within the DNS data itself, e.g., delegating authority.
DISSERTATION zur Erlangung des akademischen Grades Doktoringenieur (Dr.Ing.)
eingereicht von Dipl.Inf. Gert Pfeifer
geboren am 30.07.1979 in Meissen
vorgelegt am 15. April 2009 an der Technischen Universität Dresden Fakultät Informatik
Prof. Christof Fetzer, Ph.D. Institut Systemarchitektur Technische Universität Dresden
Tag der Verteidigung: 21. September 2009 Dresden, 26. September 2009
Prof. Pascal Felber, Ph.D. Institut d’informatique Université de Neuchâtel
ii
Abstract
iii
In this thesis I describe my research activities and results of the last 4 years. I also provide an outlook and guidelines on how to proceed with our project, that we named SEDNS Security Enhanced Domain Name System. This project’s ambitions are to complement DNS, the Domain Name System, in a way that allows us to keep using it in the future. The main reason for this strategy is, that it has proven to be difficult to change any part of the Internet infrastructure, such as parts of the protocols stack or well established Internet authorities, like ICANN or IANA. The main problems of DNS are twofold. (1) The DNS protocol does not contain any measures to prevent data from being tampered with. (2) Furthermore, it is difficult to configure DNS correctly since most of the configuration is done within the DNS data itself, e.g., delegating authority. It is well known that DNS problems lead to reduced availability of Internetbased services in many different ways. In this thesis, I present four main results. All of them contribute to improvements and deeper understanding of DNS’ dependability issues. First, I discuss, how well established cryptographic tools can be used to enhance DNS’ security without getting into the same problems that prevent DNSSEC from being globally deployed. These problems are explained as well. This is an important topic for the Internet and DNS community, since at the moment most of the protocol improvements are connected to DNSSEC. Second, I thoroughly discuss the technique that was used in the recent years to overcome any problems related to clientserver architectures, i.e., peertopeer systems. Such solutions have been proposed to improve DNS’ availability and reduce configuration effort. I show, that those systems do not keep up with the expectations, neither as client side tools nor as server infras tructure replacement. To reach this conclusion, a novel DHT scheme has been developed. The evaluation of it is shown as well. Third, results of our DNS data mining show that it is useful to improve the quality of DNS data and therefore, to protect clients from malicious or erroneous information. And fourth, an outlook is presented, which combines all the results of the first three points to suggest an architecture that indeed can improve our supply with DNS data, omitting the shortcomings of the classical clientserverarchitecture and its peertopeer replacements. Note, that although the development of future DNS standards and protocols is subject to political struggle, e.g., on whether or not an international organization should maintain the root zone instead of the USA, this thesis focuses only on technical aspects.
measured statistics for DNS namebased transitstubtopologies . . . . . . . . 116
Some examples for improving correctness issues automatically . . . . . . . . . Number of items per bucket: DHT versus stable hash map, 256 buckets . . . . Number of items per bucket: Hash Algorithm comparison, 256 buckets . . . . . Number of items per bucket, taking popularity of DNS names into account . . .