Detecting and Refactoring Operational Smells within the Domain Name System

The Domain Name System (DNS) is one of the most important components of the Internet infrastructure. DNS relies on a delegation-based architecture, where resolution of names to their IP addresses requires resolving the names of the servers responsible for those names. The recursive structures of the inter dependencies that exist between name servers associated with each zone are called dependency graphs. System administrators' operational decisions have far reaching effects on the DNSs qualities. They need to be soundly made to create a balance between the availability, security and resilience of the system. We utilize dependency graphs to identify, detect and catalogue operational bad smells. Our method deals with smells on a high-level of abstraction using a consistent taxonomy and reusable vocabulary, defined by a DNS Operational Model. The method will be used to build a diagnostic advisory tool that will detect configuration changes that might decrease the robustness or security posture of domain names before they become into production.Comment: In Proceedings GaM 2015, arXiv:1504.0244

DNS zones revisited

Recent research [Pap04b] suggests DNS reliability and performance is not up to the levels it should be due to misconfigurations. This paper checks the configuration of nameserver zones against additional requirements, recommendations and best-practices. It shows that almost one in four domains fails to pass one or more of these checks. During the checks an interesting correlation is established: a higher number of nameservers for a single zone usually decreases reliability and performance instead of increasing both

ICANN—Now and Then: ICANN’s Reform and Its Problems

This paper sheds some light upon the major problem arising from the current normative infrastructure of the DNS and provides a possible solution to the current physical problem of the DNS. The paper\u27s main focus is the single-entity control of the A Root. The paper uses as a starting point the Blueprint prepared by the Committee on ICANN Evolution and Reform and raises the question: Has this reform done anything to resolve the single-entity control of the A Root? The paper argues that the reform has done nothing to solve the problem because the international privatization of the DNS merely substitutes the administration of the DNS function without making changes to the normative infrastructure of the DNS. In light of the above, the paper argues that there is a need to declare independence from a one-entity controlled DNS. The suggested approach is to share authority over the root by acknowledging that countries that are accountable to their populations are the authorities for their own ccTLDs. Once technical and political independence has been achieved, the technical and, to some degree, political management of the DNS should be exercised through an international body. In order to initiate a discussion for a truly international body this paper offers nine principles that a new international ccTLD cooperation organization should observe when working on its own creation

Enabling Practical IPsec authentication for the Internet

On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops (First International Workshop on Information Security (IS'06), OTM Federated Conferences and workshops). Montpellier, Oct,/Nov. 2006There is a strong consensus about the need for IPsec, although its use is not widespread for end-to-end communications. One of the main reasons for this is the difficulty for authenticating two end-hosts that do not share a secret or do not rely on a common Certification Authority. In this paper we propose a modification to IKE to use reverse DNS and DNSSEC (named DNSSEC-to-IKE) to provide end-to-end authentication to Internet hosts that do not share any secret, without requiring the deployment of a new infrastructure. We perform a comparative analysis in terms of requirements, provided security and performance with state-of-the-art IKE authentication methods and with a recent proposal for IPv6 based on CGA. We conclude that DNSSEC-to-IKE enables the use of IPsec in a broad range of scenarios in which it was not applicable, at the price of offering slightly less security and incurring in higher performance costs.Universidad de Montpellier IIPublicad