An Accelerated Integrity-secured Name Resolution Architecture Using Two Full-service Resolvers with and without DNSSEC Validation in Parallel

抄録

Domain Name System (DNS) is the most widely used name resolution architecture in the current Internet and Domain Name System Security Extensions (DNSSEC) is the fundamental solution for DNS cache poisoning attacks. However, some extra overhead caused by DNSSEC mitigated its wide deployment during the last two decades and there is still no effective solution. In order to mitigate the overhead caused by DNSSEC in DNS full-service resolvers, in the literature, we proposed a terminal-based DNSSEC validation solution. The solution can help to avoid the extra overhead caused by DNSSEC validation on DNS full-service resolvers, but the results of DNSSEC validation cannot be shared among the end terminals. In the improved version, two DNS full-service resolvers, which are with and without DNSSEC validation respectively, are used in parallel in order to solve the issues. Though in the improved solution, one DNS full-service resolver (DNSSEC-enabled) can share the results among the terminals and the other full-service resolver (DNSSEC-disabled) can be used the terminal-based DNSSEC validation, the overhead issue on the end terminal still has not been solved. In this paper, we expanded the improved version by adding the functionality of terminating the slower name resolution process in order to reduce the resource consumption on end terminals. The evaluation results show that the integrity-secured name resolution works properly and the improvement of name resolution performance also has been confirmed.