Library and Tools for Server-Side DNSSEC Implementation

Tato práce se zabývá analýzou současných open source řešení pro zabezpečení DNS zón pomocí technologie DNSSEC. Na základě provedené rešerše je navržena a implementována nová knihovna pro použití na autoritativních DNS serverech. Cílem knihovny je zachovat výhody stávajících řešení a vyřešit jejich nedostatky. Součástí návrhu je i sada nástrojů pro správu politiky a klíčů. Funkčnost vytvořené knihovny je ukázána na jejím použití v serveru Knot DNS.This thesis deals with currently available open-source solutions for securing DNS zones using the DNSSEC mechanism. Based on the findings, a new DNSSEC library for an authoritative name server is designed and implemented. The aim of the library is to keep the benefits of existing solutions and to eliminate their drawbacks. Also a set of utilities to manage keys and signing policy is proposed. The functionality of the library is demonstrated by it's use in the Knot DNS server.

Deploying DNSSEC in islands of security

The Domain Name System (DNS), a name resolution protocol is one of the vulnerable network protocols that has been subjected to many security attacks such as cache poisoning, denial of service and the 'Kaminsky' spoofing attack. When DNS was designed, security was not incorporated into its design. The DNS Security Extensions (DNSSEC) provides security to the name resolution process by using public key cryptosystems. Although DNSSEC has backward compatibility with unsecured zones, it only offers security to clients when communicating with security aware zones. Widespread deployment of DNSSEC is therefore necessary to secure the name resolution process and provide security to the Internet. Only a few Top Level Domains (TLD's) have deployed DNSSEC, this inherently makes it difficult for their sub-domains to implement the security extensions to the DNS. This study analyses mechanisms that can be used by domains in islands of security to deploy DNSSEC so that the name resolution process can be secured in two specific cases where either the TLD is not signed or the domain registrar is not able to support signed domains. The DNS client side mechanisms evaluated in this study include web browser plug-ins, local validating resolvers and domain look-aside validation. The results of the study show that web browser plug-ins cannot work on their own without local validating resolvers. The web browser validators, however, proved to be useful in indicating to the user whether a domain has been validated or not. Local resolvers present a more secure option for Internet users who cannot trust the communication channel between their stub resolvers and remote name servers. However, they do not provide a way of showing the user whether a domain name has been correctly validated or not. Based on the results of the tests conducted, it is recommended that local validators be used with browser validators for visibility and improved security. On the DNS server side, Domain Look-aside Validation (DLV) presents a viable alternative for organizations in islands of security like most countries in Africa where only two country code Top Level Domains (ccTLD) have deployed DNSSEC. This research recommends use of DLV by corporates to provide DNS security to both internal and external users accessing their web based services.LaTeX with hyperref packagepdfTeX-1.40.1

Implantació del sistema Sauron per a la gestió del sistema DNS de la UdL

El sistema de noms de domini (DNS) proveeix d'un sistema distribuït per a la resolució de nomsEl sistema de noms de domini (DNS) proveeix d'un sistema distribuït per a la resolució de noms de host en la infraestructura d'internet. Aquest sistema permet que cada organització gestioni les dades dels noms dels seus nodes en la jerarquia del sistema DNS. En una organització però, es poden donar diversos nivells de delegació a determinades parts de la infraestructura de l'organització . Per tal de descentralitzar la gestió d'aquestes parts es presenta un sistema de programari lliure que permet la delegació d'una forma controlada amb control i nivells d'accés d'usuari de forma concurrent i remota a través d'una interfície web. La implementació, configuració, integració i desplegament d'aquest sistema en la xarxa de la Universitat de Lleida es descriu al llarg d'aquesta memòria

Peer-to-Peer-Technologie in Teilnehmerzugangsnetzen

In den letzten Jahren haben verschiedene P2P-Applikationen wie z.B. das File-Sharing eine weite Verbreitung erlangt. Deshalb wird zunächst untersucht, inwiefern gezieltes P2P-Routing hilft, P2P-Datenmassen besser zu bewältigen und die Netzwerkinfrastruktur zu entlasten. Wenngleich P2P-Netze oftmals mit dem illegalen Tausch lizenzrechtlichen Materials assoziiert werden, so sind die zugrunde liegenden Technologien vom Verwendungszweck losgelöst zu betrachten. Ferner studiert die vorliegende Forschungsarbeit daher Einsatzmöglichkeiten der P2P-Netzwerktechnologie in Teilnehmerzugangsnetzen