A scalable Byzantine fault tolerant secure domain name system
Author(s)Ahmed, Sarah, 1975-
Scalable Byzantine-fault-tolerant secure DNS
Massachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science.
MetadataShow full item record
The domain name system is the standard mechanism on the Internet to advertise and access important information about hosts. At its inception, DNS was not designed to be a secure protocol. The biggest security hole in DNS is the lack of support for data integrity authentication, source authentication, and authorization. To make DNS more robust, a security extension of the domain name system (DNSSEC) was proposed by the Internet Engineering task force (IETF) in late 1997. The basic idea of the DNS security extension is to provide data integrity and origin authentication by means of cryptographic digital signatures. However, the proposed extension suffers from some security flaws. In this thesis, we discuss the security problems of DNS and its security extension. As a solution, we present the design and implementation of a Byzantine-fault-tolerant domain name system. The system consists of 3f+1 tightly coupled name servers and guarantees safety and liveness properties assuming no more than f replicas are faulty within a small window of vulnerability. To authenticate communication between a client and a server to provide per-query data authentication, we propose to use symmetric key cryptography. To address scalability concerns, we propose a hierarchical organization of name servers with a hybrid of iterative and recursive query resolution approaches. The issue of cache inconsistency is addressed by designing a hierarchical cache with an invalidation protocol using leases. Because of the use of hierarchical state partitioning and caching to achieve scalability in DNS, we develop an efficient protocol that allows replicas in a group to request operations from another group using very few messages. We show that the scalable Byzantine-fault tolerant domain name system, while providing a much higher degree of security and reliability, performs as well or even better than an implementation of the DNS security extension.
Thesis (M.Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2001.Includes bibliographical references (p. 98-101).
DepartmentMassachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science.; Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science
Massachusetts Institute of Technology
Electrical Engineering and Computer Science.