【作者】 陈琳； 郑康锋； 钮心忻； 陆峰； 彭越；

【Author】 CHEN Lin ZHENG Kang-feng NIU Xin-xin LU Feng PENG Yue (Key Laboratory of Network and Information Attack & Defence Technology of MOE, Beijing University Of Posts and Telecommunications,Beijing 100876)

【机构】 北京邮电大学网络与信息攻防技术教育部重点实验室；

【摘要】 作为互联网关键基础设施的域名系统(DNS)其安全性正面临严峻考验。本文指出现有DNS动态更新存在认证和单点失效漏洞,给出DNS动态更新漏洞攻击方法和攻击效果。完善已经提出的观点在DNS动态更新中添加Spread组通信策略,并给出实现该策略的系统架构和三层模型。对策略实现的具体机制给出详细的解释说明,引入握手协议完成DHCP与DNS间的认证和组群更新权限控制。在论文的最后分析该策略的优缺点。更多还原

【Abstract】 DNS(domain name system),as one of the most critical Internet infrastructure,its security is now facing great challenge. It is described the authentication and single point of failure vulnerabilities in DNS dynamic update strategy.It is presented the attack method and attack results to the vulnerability in DNS dynamic update.It has been improved the view that has been proposed by Amir and others which is added spread protocol group communication to DNS dynamic update.It is also given the new system architecture to implement this view and the three layer model.It is described the specific mechanisms to implement the new architecture in detail and introduced the hand-shake protocol to accomplish the authentication between the DHCP server to the DNS server and the control of the group communication update permission.In the end of the paper,it is analyzed the advantages and the disadvantages of the new architecture.更多还原