Professional Documents
Culture Documents
dns πρωτοκολλα ασφαλείας
Uploaded by
Θεόδωρος ΒήτταςCopyright
Available Formats
Share this document
Did you find this document useful?
Is this content inappropriate?
Report this DocumentCopyright:
Available Formats
dns πρωτοκολλα ασφαλείας
Uploaded by
Θεόδωρος ΒήτταςCopyright:
Available Formats
DNS
/08046
,
()
()
()
DNS
o
,
.
,
.
DNS
! .
1. . . . .. . 7
2. TO . . 8
2. 1 . . . .. . 8
2. 2 DOMAIN NAME SYST E M. . . 8
2. 2. 1 .. 9
2. 2. 1. 1 .. 9
2. 2. 1. 2 9
2. 2. 1. 3 10
2. 2. 1. 4 . . .. .. . .. .. .. . .. .. 10
2. 2. 1. 5 . .. . 10
2. 2. 2 DNS . . .. .. . .. .. .. . .. . . 10
2. 2. 2. 1 .. . 11
2. 2. 2. 2 DNS 12
2. 2. 2. 3 . .. . .. .. . .. .. .. . . 14
2. 2. 2. 4 . 15
2. 2. 2. 5 16
2. 2. 3 DNS . . 16
3. TO DNS .. 17
3. 1 17
3. 2 .. 17
3. 2. 1 18
3. 2. 2 20
3. 2. 3 . 20
3. 2. 4 .. 21
3. 2. 4. 1 .. 21
3. 2. 4. 2 . . 21
3. 2. 5 24
3. 3 . . 24
3. 4 DNS. . 24
3. 5 . . 25
3. 6 DNS . . . 25
4. DNSSEC. 26
4. 1 . . . 26
4. 2 DN SSE C . . . 26
4. 2. 1 . . . 26
4. 2. 2 . 26
4. 2. 3 . . 27
4. 3 DN SSE C . 27
4. 3. 1 KE Y RR. 28
4. 3. 2 SIG RR. . 28
4. 3. 3 NXT RR. 29
4. 4 . . . . 29
4. 5 . . 31
4. 5. 1 . . . 33
DNS
5. DO M AIN
NAM ES.. 35
5. 1 .. 35
5. 2 T LS. . . .. 35
5. 2. 1 . . 35
5. 2. 2 HAST LS. . . . . .. 37
5. 2. 3 HAST LS. . . . . 38
5. 3 DNS
.. 39
5. 3. 1 T LS DN S. . 40
5. 3. 1. 1 . . .. .. 40
5. 3. 1. 2 . . .. .. .. 40
5. 3. 1. 3 . 41
5. 3. 1. 4 . . .. .. . .. .. .. . .. .. . .. 42
5. 3. 1. 5 WIRE . . .. .. .. . .. .. . .. .. .. . .. .. . .. .. .. . .. .. .. . .. .. . .. .. .. 43
5. 3. 2 T LS T LS. . 43
5. 3. 3 44
5. 3. 4 .. 44
5. 4 DNS ( CAA). . 45
5. 4. 1 CAA RR. . .. . .. .. .. . .. .. .. . .. .. . .. .. 45
5. 4. 2 . .. . .. .. .. . .. .. . .. .. .. . .. .. . .. .. .. . .. .. .. . .. 46
5. 4. 3 . 47
5. 4. 3. 1 48
5. 4. 4 . 48
5. 4. 5 . 48
5. 4. 5. 1 .. 48
5. 4. 6 . 50
5. 4. 6. 1
. 50
5. 4. 6. 2 CAA.. 50
5. 4. 7 .. 51
6. DNSCURVE: DNSSEC...52
6.1 ..52
6.2 DNCURVE : - DOMAIN NAME
SYST E M. .. 53
6. 2. 1 .. 53
6. 2. 2 32 BIT S. . 54
6. 2. 2. 1 . 54
6. 2. 3
54
6. 2. 4 NONCE .. 55
6. 2. 5 DNSC URVE .. 55
6. 2. 5. 1 . . . 55
6. 2. 5. 2 . 56
6. 2. 6 UDP T CP. . 57
6. 2. 7 57
7. . . 58
8. 59
DNS
,
.
.
.
.
T h e Dom a in Nam e S yst em i s vi t a l for th e In t ern et , beca us e i t pr ovi des a m ech a n i sm for
r esol vi n g th e h ost na m es in t o Int ern et Pr ot oc ol (IP) a ddr esses. T h e pr oper fun ct i on a l it y o f
t hi s s yst em wa s t h r ea t en ed by i n secur e pr ot oc ol s a n d l a ck of a ut h en t i ca t i on an d
i n for m a t i on s in t egri t y ch ecki n g. Se ver a l secur i t y ext en si on s a n d pr ot oc ol s wh i ch i m pr ove
t h e Dom a in Na m e Syst em (DN S) h a ve be en pr opos ed. T h ese s ecur i t y i ssu es a n d th e
pr ot oc ol s t h at ha ve be en pr opos ed a r e pr esen t ed i n th i s th esi s.
DNS
1.
.
. .
:
E th ern et ,
, .
In t er n et
- .
,
. dom a i n
, ,
, :
.
, IP
In t ern et .
,
(Dom a i n Na m e Syst em DNS). DNS
. e-m a i l ,
t el n et r l ogi n "
ft p . DNS
:
IP , .
D om a i n Na m e S yst em ,
.
.
, 2,
( DNS) , In t er n et ,
,
.
3 DNS
, 4 DNSSE C ,
.
5
, 6 DNSCur ve,
DNS DNSSE C.
DNS
2. TO
2.1
.
bi t
( byt es) .
, .
,
. (
), .
,
.
( ),
.
IP (
),
, IP .
( ) .
,
. ,
, .
, .
,
.
, ,
.
. ,
,
.
,
.
,
.
2.2 DOMAIN NAME SYSTEM
( D om a i n Nam e S yst em - DNS )
[11]
.
,
.
. DNS
DNS
DNS ,
D om a in Na m e Syst em .
DNS ,
IP
. DNS
.
( r oot ser ver s),
IP
.
A, B, .. . .
,
dn s
.
( ISP s).
DNS / .
dn s DNS
. dn s (
),
D NS dn s .
dn s
dn s .
IP (
),
( fl ows) DNS .
dn s
DNS. dn s
,
. dn s dn s
. dn s ( Publ i c Dn s
ser ver s). dn s .
dn s
. dn s
.
2.2.1
,
[11].
:
2. 2. 1. 1
. ,
,
.
2. 2. 1. 2
,
.
,
.
DNS
,
. ,
.
.
,
.
.
.
.
.
,
(T i m e t o Li ve - T T L)
.
2. 2. 1. 3
-
.
,
.
.
, ,
.
,
.
.
2. 2. 1. 4
.
.
.
2. 2. 1. 5
,
. ,
.
, ,
,
.
2.2.2 DNS
: , ( Res our c e Re c or ds RR).
DNS .
DNS
10
.
.
2. 2. 2. 1
[11] -
. -
, ,
.
.
. .
.
pur due. edu :
1 . pur s ue . e du
.
,
.
( ) ()
.
.
.
. dom . . dom ,
, .
. . dom ,
. . dom
.
.
:
DNS
11
2 .
2. 2. 2. 2 DNS
dn s
.
3.
[11]:
16 bi t
bi t Q R ( 0)
( 1)
O PCODE 4 bi t
:
- 0 ( QUE RY)
- 1 ( QUE RY)
- 2 ( ST AT US)
- 3-15
bi t
.
bi t T C
bi t RD
bi t RA
bi t s
bi t s RCODE .
:
- 0
- 1
- 2
- 3
- 4
DNS
12
5
6-15
16 bi t
, ,
.
.
dn s . ,
.
,
.
,
. :
- 1 - In t ern et
- 2 CS - CSNE T
- 3 CH CHAO S
- 4 HS Hesi od
- 255 wi l d -ca r din g
T o ,
.
:
,
. DN S
.
.
,
,
.
, .
, .
,
.
dn s :
-
-
- 32 bi t
(T T L)
- 16 bi t
RDAT A byt e s
- byt es
DNS
13
3 . DNS
2. 2. 2. 3
RDAT A dn s.
. [11]:
- :
32 bi t
- SO A
- S
- PT R
DNS
14
HINF O CP U
- CNAME
-
-
- 25
- IS DN
ISDN DDI, .
(RRS et s).
,
DNS, , ( , RDAT A)
. , ,
D NS.
.
.
-
example. co m.
example. co m.
example. co m.
IN
IN
IN
NS
NS
NS
ns1.exa mple.co m.
ns2.exa mple.co m.
ns.plain.org.
4 .
2. 2. 2. 4
.
.
,
.
:
.
.
.
.
.
.
.
DNS
15
2. 2. 2. 5
. ,
.
( )
.
- :
,
, .
:
, ,
.
.
DNS ,
,
.
.
, .
DNS
.
2.2.3 DNS
DNS .
D NS DNS / . DN S
.
, ,
. ,
.
DNS DNS.
,
, .
,
. ,
.
. ,
,
,
.
,
.
, DNS
,
DNS.
DNS , .
Ber kel e y In t ern et Na m e Da em on ( BI ND)
DNS In t ern et . BIND DNS ,
, DNS
.
DNS
16
3. TO DNS
3.1
D NS
,
IP , .
,
IP
( ).
D NS
DNS
. BIN D
,
,
DNS .
DNS.
. DNS
: , ,
, ,
DNS .
3.2
, DNS
.
DNS.
.
DNS
.
.
DNS 16
bi t .
,
. ,
.
,
.
,
.
.
,
.
:
.
.
.
DNS
17
DNS
. ,
.
,
. ,
.
.
, .
DNS ,
.
.
DNS ( poi s on i n g ) [8].
. ,
,
.
.
.
,
.
. ,
,
.
,
.
,
.
,
.
. , .
,
.
,
. ,
DN S
, .
,
DNS .
3.2.1
BIND DNS
. ,
DNS
18
, ,
' .
(,
).
.
BIN D
. DNS
. BIN D
, ,
.
, ,
our dn s. exa m pl e. com , ( 5).
DNS . - ,
h ost 1 , DNS our dn s. exa m pl e. com .
, our dn s. ex am pl e. com
. ,
our dn s. exa m pl e. com DNS
.
,
br oken dn s. exa m pl e. or g .
br ok en dn s. exa m pl e. or g , ,
our dn s. exa m pl e. com
. our dn s. exam pl e. com ,
h ost 1 . our dn s. exa m pl e. com ,
, h ost 1,
.
DNS
19
5 .
3.2.2
DNS ,
.
.
[9]
PTR.
, DNS,
.
,
DNS PT R
DNS PT R. PT R
.
, .
.
3.2.3
DNS
20
.
DNS .
, DN S
.
,
.
BIND,
,
.
IP , NS , .
3.2.4
. (Den i a l of Ser vi ce - D oS)
.
3. 2. 4. 1
.
( ,
DNS ).
DNS
,
DNS .
.
CNAME
, :
fooba r . exa m pl e. or g . CNAME fooba r . exa m pl e.or g .
,
.
CNAME .
,
fooba r . exa m pl e. or g .
3. 2. 4. 2
. , ,
, / .
,
.
.
DNS
21
IP
/ IP
. DNS
,
DNS .
DNS
.
.
. ,
r sh d
. rh ost s
.
6 .
DNS , e vi l dn s. exa m pl e. or g ,
0. 6. 172. -a ddr .ar pa
, pl a in . or g:
8. 0. 16. 172. in -a ddr. ar pa.
IN
PT R
DNS
tr ust m e. pla in . or g.
22
, t r ust m e. pl a in . or g,
vi ct i m . exa m pl e. edu t r ust m e. pla in . or g
. r h ost s vi ct i m . exa m pl e. edu .
, vi c t i m . exa m pl e. edu
fi r e wa l l .
IP 172. 16. 0. 8
vi ct i m . exa m pl e. edu ,
.
, r l ogin d
.
PT R, "A"
FQD N PT R .
,
Un i x
geth ost bya ddr ()
.
IP (,
PT R).
"A"
.
DNS 7.
7 . DNS
,
.
DNS
.
PT R
,
""
IP .
, BI ND
,
, . ,
DNS
.
DNS
23
3.2.5
.
.
.
dn s .
.
DNS .
DNS ,
.
. .
.
,
DNS .
DNS
, .
UDP
T CP.
DNS .
. DNS
.
.
.
.
.
3.3
H - ,
DNS .
.
,
,
.
DNS
.
3.4 DNS
RFC 1035,
DNS, DNS ,
D NS
.
DNS RFC 1035
DNS
.
(D yn a m i c Host C on fi gur a t i on Pr otoc ol - D HCP)
DNS
24
.
.
.
.
,
IP
.
.
, ,
, , IP
.
3.5
DNS
. ,
.
.
DNS
, IP , ,
DNS
IP .
IP
IP
.
IP, ,
IP.
3.6 DNS
DNS :
(. .
Un i x )
.
DN S.
.
BIN D,
,
,
DNS , . DNS
. ,
DNS .
DNS
DNSSE C .
DNS
25
4. DNSSEC
4.1
1994, IE T F
DN S D NS [10].
DNSSE C .
DNS .
D NS .
DNS
DNS SE C.
.
DN SSE C
DNS .
DNSSE C
. DNSSE C
.
DNS SE C
DNSSE C .
,
.
DNS SE C.
.
4.2 DNSSEC
[5]: ,
.
4.2.1
D NS,
DNS.
.
4.2.2
DNSSE C .
DNS .
.
D NSSE C
.
.
DNS
26
. (
)
,
.
.
.
,
. ,
.
4.2.3
DNS DNS .
.
.
,
, .
.
.
DNS. DNSSE C
DNS
DNS
. ,
DNS DN SSE C
.
4.3 DNSSEC
IE T F DNS
DNSSE C .
DN S KE Y RR [6], SIG RR [6] NXT RR [6]. DNS SE C
KE Y RR ,
KE Y RR.
KE Y RR
DNS .
SIG RR.
. NX T
RR
.
, CE RT RR [6],
DNS,
DNS.
IP
,
CE RT
.
DNS
27
4.3.1 KEY RR
DN S KE Y RR.
DNS, ,
. KE Y RR DNS
.
, , KE Y RR
KE Y RR.
DNS
.
DNS SE C KE Y RR
: , .
, CE RT RR
. RDAT A KE Y RR DN S
KE Y RR ( , ) .
, , .
KE Y RR
.
, , ,
,
DNS .
RD AT A KE Y RR.
, RSA/ MD5 , Di ffi e- Hel l m a n ,
(DS A), .
.
byt es.
.
T L S , e-m a i l , DNSSE C , IP se c.
byt es 8 bi t ,
255 255
.
bi t s
bi t s . bi t s
KE Y RR.
, , ,
. DNS .
,
. bi t s
, , ,
.
DNS
.
.
4.3.2 SIG RR
SIG
RR. SIG RR
. ,
SIG RR .
SIG RR
.
.
RD AT A SIG RR.
. ( ,
DNS
28
NS, PT R, MX, . . ), .
,
. . SIG RR
KE Y RR. ,
, SIG RR .
SIG RR
SIG RR
,
SIG RR
. ,
SIG RR.
, ,
SIG RR
. ,
SIG RR
.
4.3.3 NXT RR
DN S .
,
. DNSSE C
.
NXT RR. NXT RR
DNS
DNS.
DNS.
: .
DNS ( ,
), .
DNS,
. .
, , NXT
RR D NS ,
, DNS .
DNS,
NXT RR DNS
. S IG RR ,
NXT RR .
4.4
DNS. DN S
:
, DN S,
.
DNS
.
SIG RR, , NXT RR
. SIG RR
.
SIG RR .
,
DNS
29
. , ,
,
.
. SIG RR
. NXT RR,
,
SI G RR.
.
DNS,
,
, .
.
. DNS
,
.
.
,
.
.
,
, " ".
,
,
( ).
,
, ,
SIG RR .
,
.
, ,
.
.
,
.
.
SIG RR KE Y RR.
.
,
.
,
.
, .
,
.
.
.
,
.
SIG RR
.
DNS
30
.
, ,
.
O
.
,
.
,
.
,
.
,
.
(CD).
, DNSSE C
CD DNS.
DNS DNSSE C ,
.
,
.
, C D.
,
.
.
,
.
,
(AD) .
.
4.5
.
DNSSE C .
8 DN SSE C
:
DNS
31
8 . DNSSEC
, ,
sa cl i en t . exa m pl e. com ,
b. exa m pl e. or g .
sa dn s. exa m pl e. com , sa dn s. exa m pl e. com . ,
exa m pl e. or g , , ,
.
b. exa m pl e. or g A sa dn s. exa m pl e. or g
,
DNSSE C .
SIG RR RR
. O
SIG R R
. SIG RR
, ,
SIG RR, SIG RR , ,
.
SIG RR .
, . SIG RR
,
RR
DNS
32
b. exa m pl e. or g . SIG RR ( ,
).
NS
,
sa dn s. exa m pl e. or g DNS exam pl e. or g
. SIG RR
, SIG RR
, NS.
SIG RR .
"A"
sa dn s. exa m pl e. or g
. A
SIG RR, A RR.
SIG RR RR .
SIG RR. ,
SIG RR , SIG RR
, .
, SIG RR.
, . .
, sa dn s. exa m pl e. or g SIG RR
.
SIG
". "
. ,
SIG RR
, , ". "
.
, , SIG RR
. RDAT A.
,
SI G RR.
.
KE Y RR .
KE Y RR exa m pl e. org .
SIG RR
. KE Y
RR,
. KE Y RR b. exa m pl e. or g
sa dn s. exa m pl e. or g.
,
. , KE Y
RR .
, RR , KE Y RR.
, SIG RR , KE Y RR ,
, KE Y RR SIG RR.
KE Y RR.
, ,
.
4.5.1
. DN S
[7].
, .
DNS,
. ,
DNS
33
.
,
.
. ,
.
.
.
.
,
.
DNS
34
5.
DOMAIN NAMES
5.1
T LS DT LS
.
T L S
.
DNS SE C
dn s . ,
,
dn s.
T LS dn s
T LS . ,
DNS.
5.2 TLS
- IE T F
:
,
( )
.
, T LS ,
, - .
T LS
(E xt en si bl e
Aut h ent i ca t i on Pr ot oc ol - E AP) T r an spor t
La yer Secur i t y (T LS). E AP -T LS
. EAP -T LS
. T LS
. T L S
.
5.2.1
-
T LS.
.
: ' ,
.
-
T L S . , HT T P
80 HT T P-i n -T LS 443 ,
SMT P ST A RT T LS SMT P ST A RT T LS
, .
,
- .
,
:
DNS
35
- (CIO):
- .
, POP
- POP 110.
(CSO):
, T LS .
, POP cl i en t
POP 995.
- (CFB) :
, T LS , T LS,
- .
,
.
,
:
- (SO):
T LS .
HT T P 80
.
(SS): T LS
T LS . ,
HT T P
443. ,
( ST A RT T T LS SMT P),
, T LS,
T LS .
- (SSB) -
T LS
T LS T LS ,
80 443 HT T P. ,
( ST ART T T LS SMT P),
,
T LS, , T LS
.
- . ,
.
, ,
. , -
.
, , T LS .
-
.
,
:
.
- ,
. , -
DNS
36
,
.
, -
, .
: -
,
- - ,
- .
,
. -
-
- ,
,
, .
, , ,
.
, ,
.
5.2.2 HASTLS
HAST L S [1], T BD1 ,
-
. T LS,
-
. :
_a ppna m e. _pr ot on a m e.h ost n a m e IN HAST LS i n s -por t sec -por t pol -pr ef
(AP PNA ME )
(pr ot on a m e) S RV
[ RFC2782]. - (
i n s-por t ), ( sec-p or t ),
( p ol -pr ef)
.
,
0.
, - "
. HAST LS
0.
HA ST LS,
. ,
HT T P 8 0 8080
, 80 ( ),
8080 ( ).
HAST LS .
HA ST LS. HAST LS
.
DNS
37
byt e
. :
0
.
1 -
- (CSO)
,
,
- . ,
-
.
1
,
. ,
,
.
, www. exa m pl e. c om SMT P
. SMT P
-
. HAST LS :
_sm t p . _t cp. www. exa m pl e. c om IN HAST L S 25 25 1
www. exa m pl e. c om
HT T P . HAST LS
:
_h tt p. _t cp. www. exa m pl e. c om IN HA ST LS 0 443 0
_ht t p. _t cp. www. exa m pl e. com IN HAST LS 0 443 1
5.2.3 HASTLS
- ,
, -
HAST LS .
- -
- 0.
- 0
- .
- - .
HA ST LS
:
1
,
- - .
.
DNS
38
.
- 0 .
.
, - .
-
0 .
-
- 0 .
-
,
T LS .
5.3
DNS
T LS
. T LS
T LS,
. ,
,
,
.
. D NS d om a i n
n am e ,
.
DNS.
( "
") . ,
, DE R- ,
:
dn s.
DNS
39
,
.
T LS dom a i n na m e DNS
DNSSE C .
DN S , d om a i n n a m e
.
DNSSE C
DNS.
DN S
DNSSE C
. DNSSE C
.
. , DN S
.
,
- .
5.3.1 TLS DNS
DNS, T LSA [2].
dom a i n na m e T LSA RR
/ (r ec or ds) T LSA.
5. 3. 1. 1
dom a in na m e :
1.
T LS
(_) dom a i n n a m e.
2.
T LS (_)
d om a i n na m e.
t cp udp s ct p .
3. 2
.
, T LSA RR h t t p
T LS 443 www. exa m pl e. c om ,
_443 .
_t cp. www. exa m pl e. c om . T LSA
SMT P s er ver ST A RT T LS
25
m a i l. exa m pl e. com , _25. _tcp. m a i l . exam pl e. com
5. 3. 1. 2
, :
1. on e- byt e ,
. IAN A
.
:
--
--
2. - on e-byt e ,
.
DNS
40
IANA .
0 --
1 -- Sha -256
2 -- Sh a -512
T LS T LSA.
3. . byt es
( ,
T LS ASN. 1Cer t ).
5. 3. 1. 3
T LS .
T LS
- 1 , h a sh
, T LS.
T LS
- 2
dom a i n na m e.
- 1 (
) T L S
.
, . 0,
T LSA
T LS. 0,
ha sh T L S s er ver
T LSA.
- 2 ( )
. 0,
T LSA
T LS.
T LSA.
0,
T L S
T LSA,
T LSA RR,
. ,
T LS,
T LS A RR,
.
T LS,
- 1
- 2, su bj ect Al t Na m e
T LS ser ver . , T LS
T LSA .
T SLA.
DNS
41
:
.
: - , -
, - . .
-
. -
-
.
.
.
- (
,
)
PKIX ,
.
dom a i n na m e
T LS.
PKI X ,
T LSA
PKI X
. -
1
PKIX.
5. 3. 1. 4
RDAT A T LSA
( )
byt e s
, .
Sh a -256 ( - 1) ( - 1 )
:
_443. _t cp. www. exa m pl e. com . IN T LSA (
1 1 5c1502a 6549c423be0a 0a a 9d9a 16904de5e f0 f5 c98
c735fc ca 79f09230a a 7141 )
( - 2) :
_443. _t cp. www. exa m pl e. com . IN T LSA (
2 0 308202c5308201 a da 00302010202090. .. )
,
:
wi r e .
DNS
42
5. 3. 1. 5 W I RE
wi r e :
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+
| Cert t ype | Ha sh t yp e |
/
+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+
/
/
/
/
Cert i fi ca t e for a ssoci a t i on
/
/
/
+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+
wi r e RDAT A :
_443. _t cp. www. exa m pl e. c om . IN T YPE 65534 \# 34 ( 01015c1502a 6549c42
3be0a 0a a 9d9a 16904de5ef0 f5 c98 c735 fcca 79 f09230a a 7141 )
wi r e RDAT A
:
_443. _t cp. www. exa m pl e. c om . IN T YPE 65534 \# 715 0200308202c5308201a . ..
, 65534 .
RR . RR T LS A
IANA.
5.3.2 TLS TLS
T LS
D NS,
DNS DNSSE C .
T LSA .
DNS
A D bi t ,
,
.
T LS,
.
T LS
.
, T LS
.
T LS, T LS
T LS .
T LS, T LS
"a cces s_den i ed ".
DNS
43
5.3.3
DNS
T L SA 1
2.
T LSA
RR
h a sh 0 ( ha sh ) h a sh 1 (Sha 256), T LSA RR h a sh - 2
(Sh a -512).
T LS
T LSA
1 2,
T LS ha sh 0 ( h a sh )
h a sh - 1 (Sh a -256),
h a sh - 2 (Sh a -512).
5.3.4
DNSSE C
.
DNS
T LSA
,
.
, .
T LSA
RR
DN S
, DNS .
,
.
T LSA RR ,
.
T LSA
,
T LS
. DNS
DN S
.
SSL
T LS. ,
S SL:
T L S, T L S
, T LS
.
, T LSA SS L
T LS
DN S
SS L . ,
T LS .
DNS
44
5.4 DNS
(CAA)
DNS ( CAA) [3]
DNS
. CAA
.
CAA
.
, (PKIX)
(CA)
,
.
,
.
(CPS)
( CP)
CP S
.
CAA
.
,
CAA
CAA .
CAA
.
5.4.1 CAA RR
CAA CAA
.
d om a i n na m e CAA RRs
dom a i n n am e.
:
: ,
CAA
.
dom a i n
.
CAA RRs
.
: bi t .
dom a i n
.
CAA RRs
.
DNS
45
d om a i n .
d om a i n .
:
< Cer t i fi ca t e P ol i c y OID > :
.
< bj e ct Di gest Iden t i fi er > < > :
.
(ODI)
. CAA RR
ODI
.
dom a i n
/ .
5.4.2
CAs
( 1. 3. 6. 1 . 4. 1. 35405. 666. 1 ).
, dom a i n s
exa m pl e. c om .
$ORIG IN exa m pl e. c om
.
CAA 1 pol i c y 1. 3. 6. 1. 4. 1. 35405. 666. 1
CAs
:
$ORIG IN exa m pl e. c om
.
CAA 1 path MDIGA1UE JQ YJYI ZIA W UDBAI BBC AXz JgPa oT 7Fe
Xa Pz Kv6m I2D0 yi l i f+ 7Wh z mh MGLe/ oBA= =
.
De fa ul t Den y S ecur i t y c er t i fi ca t i on pol i c y ' E xa m pl e 1' or 'E xa m pl e 2' :
$ORIG IN exa m pl e. c om
.
CAA 1 pol i c y 1. 3. 6. 1. 4. 1. 35405. 666. 1
.
CAA 1 pol i c y 1. 3. 6. 1. 4. 1. 35405. 666. 2
( en tr y)
dom a in ,
.
DNS
46
,
.
, t bs . H D e fa ul t
Den y
S e cur i t y
CA
t bs
.
$ORIG IN exa m pl e. c om
.
CAA 1 pol i c y 1. 3. 6. 1. 4. 1. 35405. 666. 1
.
CAA 1 pol i c y 1. 3. 6. 1. 4. 1. 35405. 666. 2
.
CAA 129 t bs MDIGA1 UE JQY JYI ZIA W UDBAI BBC AXz JgPa oT 7Fe
Xa Pz Kv6m I2D0 yi l i f+ 7Wh z mh MGLe/ oBA= =
H
.
CAA /
, .
,
D e fa ul t Den y Se cur i t y
:
$ORIG IN exa m pl e. c om
.
CAA 3 pol i c y 1. 3. 6. 1. 4. 1. 35405. 666. 1
.
,
.
$ORIG IN exa m pl e. c om
.
CAA 3 pol i c y 1. 3. 6. 1. 4. 1. 35405. 66 6. 1
.
CAA 2 pol i c y 1. 3. 6. 1. 4. 1. 35405. 666. 2
5.4.3
CAA
, .
CAA RRs, .
CAA
.
.
.
DNS
47
,
.
,
( ).
,
dom a i n s CAA
.
5. 4. 3. 1
T o D NS CNAME DN AME
dom a i n n am e. D NS
DNS .
.
5.4.4
CAA ,
.
.
,
.
CAA RR
DNSS E C
.
DNSSE C
CA A
RR CAA RR
CAA RR.
5.4.5
5. 4. 5. 1
CAA RR .
CAA.
CAA .
CAA RRs
.
CAA .
DNS
48
+ 0-1-2-3-4-5-6-7-|0-1-2-3-4-5-6-7-|
| Fl a gs
| T a g Len gth = n |
+ ----------------+ ----------------+ . . .+ --------------- +
| T a g ch ar 0
| T a g Ch ar 1
|.. . | Ta g Char n -1 |
+ ----------------+ ----------------+ . . .+ --------------- +
+ ----------------+ ----------------+ . . .. . + ---------------+
| Dat a byt e 0
| Da ta byt e 1
|. . .. . | Dat a byt e m -1 |
+ ----------------+ ----------------+ . . .. . + ---------------+
n m
byt es ( m = d n 2) d
. :
i t 0: . (1),
CA A RR
.
CA A
.
i t 5: . i t 5 .
CAA
i t
.
i t 6: . ,
.
i t
7:
,
T o i t 0 i t i t 7
. 0x51
5
byt es
.
ASN. 1 OID
.
:
,
.
ASN. 1 OI D
AS N. 1, OID.
H OID
OIDs
OID.
OID
1. 3. 6. 1
. 4. 1. 35405. 666
,
OI Ds
1. 3. 6. 1 . 4. 1. 35405. 666 , 1. 3. 6. 1 . 4. 1. 35405. 666. 1 , 1. 3. 6. 1 . 4. 1. 35405. 666. 2 . .
.
OI D
DNS
49
.
,
.
.
PKIX
,
5.4.6
CAA .
.
CAA ,
.
CAA,
,
.
C AA,
.
CAA
.
, CAA
CAA.
5. 4. 6. 1
CAA
. d om a i n
.
.
5. 4. 6. 2 CAA
CAA
.
CAA
CAA DNSSE C .
DNS
50
DNSSE C , CAA
.
,
.
DNSSE C
CAA .
DNS SE C ,
DNS.
DNS
.
.
CAA RR
.
DNS .
5.4.7
.
,
.
DNS
51
6. DNSCURVE: DNSSEC
6.1
D om a i n Na m e S yst em ( DN S) ,
IP .
, Ka m i n sky 2008 ,
. DNS
, ,
, DNSSE C , ,
. Da n i el J. Ber n st ein ,
DN SCur ve,
DN S D NSSE C -
. Bern st ei n
UNIX. ,
,
.
DNSCur ve Ber n st ei n.
DNSCur ve DNSSE C
.
,
. ' , DNSCur ve ,
,
( E l l i pt i c Cur ve Cr ypt ogr a ph y - E CC), o o
RSA .
E CC
RSA (256 bi t s 1024 bi t s)
. , E CC
25 .
, Ber n st ein
: " ,
2. 4GHz Cor e 2 Qua d CPU 50
500 .
. com 38 5 . ".
Bern st ei n , Cur ve25519 ,
DNSCur ve. " " , 2 ^ 255 - 19,
. Ber n st ein
"Cur ve25519: Di ffi e- Hel l m a n ". E CC
, Ber n st ein Cur ve25519
. , ,
DNSCur ve .
DNSCur ve
dom a i n s. ,
n s3. l wn . n et ( ), n s3
d om a i n . ,
,
DNS .
DNS
, ,
. ,
. ,
,
.
DNSCur ve DN S
DNS SE C , DNS SE C
. , DNSSE C
DNS
52
. DNSSE C ,
,
DNSCur ve.
DNSCur ve Ber n st ei n
.
E CC Cur ve25519 ( , ,
), .
, Ber n st ei n ,
. , i n t ern et
.
6.2 DNCURVE: - DO MAIN
NAME SYSTEM
DNSCur ve D om a i n Na m e S ys t em .
,
, :
,
- fi r ewa l l s
DNS pr oxi es.
DNSCur ve MAC (
) .
,
. , DNSCur ve
.
6.2.1
DN SCur ve Cur ve25519X Sa l sa 20Pol y1305 ,
Cur ve25519 , Sa l sa 20, Pol y1305. ,
256 bi t , n on ce s
192 bi t , 128 bi t .
DNSCur ve
. DNSCur ve
NS
DNS, D NSCur ve ,
.
DNSCur ve DNS
, DN SCur ve
,
DNSCur ve n on ce
. , ,
n once
DN SCur ve , DNSCur ve
DNS.
DNS , DNSCur ve
DN SCur ve
, DNSCur ve n on ce,
. , (
DNSCur ve
),
DNS .
,
. ,
n on ce n on ce
DNS
53
,
n on ce
DNS.
DNSCur ve,
DNSCur ve .
, DNSCur ve
DNSCur ve. DNSCur ve,
DNSCur ve n on c e (,
n on ce ) ( ,
n on ce) ,
.
DNSCur ve,
DNS.
6.2.2 32 BITS
DNSCur ve byt e .
DNS 8 bi t (
-
ASCII ),
,
. , DNSCur ve
byt e .
32 bi t DNSCurve[4], byt e
l i t t l e-en di an . 5 bi t ,
,
" " "0123456789 bcd fgh jkl m n pqr st uvwx yz ". 5
bi t s - .
"BCD FG HJK LMNP Q RST UVWXY Z"
bcd fgh jkl m n pqr st uvwx yz ".
, - byt e byt es {0x64, 0x88} ( ,
{100. 136 } ) 0x8864 ( , 34 916 ). bi t s
1000100001100100 5 bi t s, 00100, 00011,
00010, 00001, "4", "3", "2", "1 ".
" 4321".
6. 2. 2. 1
+-------------------------------------------+------------------+
| Byte string
| Base-32 encoding |
+-------------------------------------------+------------------+
| {}
| ""
|
| {0x88}
| "84"
|
| {0x9f,0x0b}
| "zw20"
|
| {0x17,0xa3,0xd4}
| "rs89f"
|
| {0x2a,0xa9,0x13,0x7e}
| "b9b71z1"
|
| {0x7e,0x69,0xa3,0xef,0xac}
| "ycu6urmp"
|
| {0xe5,0x3b,0x60,0xe8,0x15,0x62}
| "5zg06nr223"
|
| {0x72,0x3c,0xef,0x3a,0x43,0x2c,0x8f}
| "l3hygxd8dt31"
|
| {0x17,0xf7,0x35,0x09,0x41,0xe4,0xdc,0x01} | "rsxcm44847r30" |
+-------------------------------------------+------------------+
6.2.3
DN SCur ve
54 byt e "uz 5",
51 byt e s 32 bi t . (
DNS
54
Cur ve25519 255 bi t l i t tl e-en di an ,
52 byt e 32 bi t "0". )
DNSCur ve
DNSCur ve ,
. ,
. "uz 5"
.
6.2.4 NONCE
, DN SCur ve n on ce 96 bi t ,
, DNSCur ve 96 bi t n on ce.
n on ces
/ .
n on ce . ,
n on ce ( n on ces
- ). ,
, n on ces
.
n on ce 96 bi t
n on ce :
64 bi t ( 1) ,
32 bi t
96 bi t (. . , 1970)
32 bi t .
64 bi t
.
DNSCur ve,
n on ce.
n on ce: ,
DNSCur ve ,
n on ces
n on ces.
6.2.5 DNSCUR VE
DNSCur ve : [4]
"T XT "[4].
. DNSCur ve
,
/ .
DNSCur ve DNSCur ve
.
6. 2. 5. 1
byt es:
8 byt es: " Q6fn vW j8".
32 byt es: DNSCur ve .
12 byt es: n on ce .
DNS.
byt e s:
DNS
55
8 byt es: " R6 fn vWJ8".
12 byt es: n on ce .
12 byt es: n on ce
.
,
. , n on ce .
6. 2. 5. 2
"T XT "
DNS : 1)
255 byt e 2 ) 512 byt es.
T XT ,
DNSCur ve DNS
bi t s , T C, RD, RA, Z, RCODE ,
, , .
In t ern et T XT
:
,
50 byt es, 50 byt e s.
32 bi t n on c e
96 bi t
DNS.
54 bi t : DNSCur ve ,
4, " x1a "
"uz 5".
: ,
NS.
DNSCur ve
T XT . ,
bi t RD ,
, , ,
DNSCur ve
. , Q R bi t .
T XT ,
DNSCur ve DN S
I D, RD bi t ,
, AA bi t , bi t T C RA Z
RCODE 0 , ,
.
In t ern et
0. RDAT A
n on ce 96 bi t
,
255 byt es DNS T XT RD AT A.
, DNSCur ve
T XT . ,
.
DNS
56
6.2.6 UDP TCP
512 byt es
.
T CP. T CP
512 byt e s:
T CP .
DNSCur ve T CP
T CP. 512 byt es
UDP.
D NSCur ve 4096-
UDP.
512 byt e s,
DNSCur ve.
T CP , DNSCur ve T CP
DNSCur ve T CP.
T CP
UD P, T CP ,
512 byt es . DNSCur ve
UD P,
T CP .
DNS E DNS0 O PT ,
DNSCur ve .
.
,
4096 byt es,
.
DNSCur ve UD P,
IP
IP . ,
MT U.
6.2.7
DN SCur ve -
/ .
DN S
.
DNSCur ve
DNSCur ve ,
DNS
DNSCur ve . , DNSCur ve
DN SCur ve,
DNSCur ve .
DNSCur ve
DNS ,
DN S . , T XT
.
DNS
57
7.
. ,
DNS
IP
, .
D NS DNS
. ,
DNS . ,
DN S
, ,
, ,
.
DN S ,
IE T F DNS, DNSSE C . DNSSE C
D NS. ,
.
.
DNSSE C
,
DNS .
, ,
HAST LS RR, T L SA RR CAA RR,
.
DNSSE C
.
, DN SC URVE ,
DN S DN SSE C . DN SC URVE
,
DNS
.
DNS
58
8.
[1] P. Hoffm a n , (2011) Speci fyi n g T ha t a Ser ver Suppor t s T LS
[2] Hoffm a n & Sch l yt er (2011) USi n g Secur e DNS t o As s oci a t e Cer t i fi ca t e s wi t h Dom a in
Na m es For T LS
[3] P. Ha l l a m -Ba ker , R. St ra dl in g & B. La urie, (2011), DNS C er t i fi ca t i on Auth or i t y
Aut h or iz a t i on (CAA) Res our c e Rec or d
[4] M. Dem psk y, (2010),
S yst em
DNSCur ve : Li nk -Le vel Se cur i t y for t h e Dom a in Na m e
[5] R. Ar en ds, (2005), DNS S ecur i t y In tr oduct i on an d Requi r em en t s
[6] R. Ar en ds, (2005), Res our ce Rec or ds for t h e DNS Se cur i t y E xt en si on s
[7] R. Ar en ds, (2005), Pr ot oc ol Modi fi ca t i on s for th e DNS Se cur i t y E xt en si on s
[8] Lui s Gr an gei a (2004), DNS Ca ch e Sn oopi n g
[9] Men & Mi ce, (1999) "Wh at i s DNS Spoofi n g"
[10] D. Ea st l a ke, (1999), Dom a i n Na m e Syst em Se cur i t y E xt en si on s
[11] How DNS W or ks 2003, h t t p: / / t echn et .m i cr osoft . c om
[12] ht t p: // en . wi ki pedi a . or g
DNS
59
DNS
60
You might also like
- ΙσπανικήDocument151 pagesΙσπανικήNil HolgersonNo ratings yet
- b2 1Document15 pagesb2 1Θεόδωρος ΒήτταςNo ratings yet
- Mathimatika B Taxi GymnasioDocument55 pagesMathimatika B Taxi GymnasioΘεόδωρος ΒήτταςNo ratings yet
- ΓΙΑ ΓΟΝΕΙΣ 3-4-2012 Δ. Ορεστίδος1Document54 pagesΓΙΑ ΓΟΝΕΙΣ 3-4-2012 Δ. Ορεστίδος1Θεόδωρος ΒήτταςNo ratings yet
- Αποθήκευση σε ∆ίσκουςDocument18 pagesΑποθήκευση σε ∆ίσκουςΘεόδωρος ΒήτταςNo ratings yet
- GT-I8190 UM Open Jellybean GRE Rev.1.0 121113 ScreenDocument114 pagesGT-I8190 UM Open Jellybean GRE Rev.1.0 121113 ScreenEric WhitfieldNo ratings yet
- ΔΥΑΔΙΚΟ ΣΥΣΤΗΜΑDocument5 pagesΔΥΑΔΙΚΟ ΣΥΣΤΗΜΑΘεόδωρος ΒήτταςNo ratings yet
- Ellak2010-DNS in BusinessDocument88 pagesEllak2010-DNS in BusinessΘεόδωρος ΒήτταςNo ratings yet
- ΔΥΑΔΙΚΟ ΣΥΣΤΗΜΑDocument5 pagesΔΥΑΔΙΚΟ ΣΥΣΤΗΜΑΘεόδωρος ΒήτταςNo ratings yet
- ΛΗΣΤΕΙΑDocument2 pagesΛΗΣΤΕΙΑNikos PatraszNo ratings yet
- Ιπποκρατειος ΔιατροφηDocument1 pageΙπποκρατειος ΔιατροφηΘεόδωρος ΒήτταςNo ratings yet
- ΚΕΡΑΛΟΙΦΕΣDocument3 pagesΚΕΡΑΛΟΙΦΕΣΘεόδωρος ΒήτταςNo ratings yet
- Γραπτά μνημείαDocument4 pagesΓραπτά μνημείαΘεόδωρος ΒήτταςNo ratings yet
- Μαθηματικά Δημοτικού Κριτήριο ΑξιολόγησηςDocument3 pagesΜαθηματικά Δημοτικού Κριτήριο ΑξιολόγησηςΘεόδωρος ΒήτταςNo ratings yet
- ΑΣΚΗΣΕΙΣ ΜΑΘΗΜΑΤΙΚΩΝ απλή μέθοδοςDocument3 pagesΑΣΚΗΣΕΙΣ ΜΑΘΗΜΑΤΙΚΩΝ απλή μέθοδοςΘεόδωρος ΒήτταςNo ratings yet
- ΕΛΛΗΝΙΚΕΣ ΕΤΑΙΡΕΙΕΣ Κατάλογος TELIKOS1Document21 pagesΕΛΛΗΝΙΚΕΣ ΕΤΑΙΡΕΙΕΣ Κατάλογος TELIKOS1Θεόδωρος ΒήτταςNo ratings yet
- ΜΑΘΗΜΑΤΙΚΑ ΣΤ΄ ΤΑΞΗΣ ΔΗΜΟΤΙΚΟΥDocument2 pagesΜΑΘΗΜΑΤΙΚΑ ΣΤ΄ ΤΑΞΗΣ ΔΗΜΟΤΙΚΟΥΘεόδωρος ΒήτταςNo ratings yet
