Patent Grant
11647008
Embodiments of the invention relate to the field of secure network communications; and more specifically, to generating an NSEC record.
Domain Name System Security Extensions (DNSSEC) is a set of security extensions to DNS that provides a way for authenticating DNS records. DNSSEC is defined by the IETF in RFCs 4033, 4034, and 4035. Each answer from a DNS SEC protected zone is digitally signed. DNSSEC provides a way for DNS records to be trusted by whoever receives them. DNSSEC uses public key cryptography to ensure that DNS records are authentic. DNSSEC not only allows a DNS server to prove the authenticity of the records it returns, it also allows the assertion of “non-existence of records”. The DNSSEC trust chain is a sequence of records that identify either a public key or a signature of a set of resource records. The root of this chain of trust is the root key which is maintained and managed by the operators of the DNS root.
Several record types are defined by DNSSEC including DNSKEY, DS, and RRSIG. The DNSKEY record type is a public key used to sign a set of resource records (RRset). The Delegation Signer (DS) record type is a delegation signer (a hash of a key). The RRSIG record type is a signature of a RRset that shares name/type/class. The DNSKEY can be classified into two roles, which can be handled by separate keys or a single key. For example, a key signing key (KSK) can be used to sign DNSKEY records. A zone signing key (ZSK) can be used to sign all other records in the domain in which it is authoritative for.
The set of all records of a given type for a domain name is called an RRset. An RRSIG (Resource Record SIGnature) is essentially a digital signature for an RRset. Each RRSIG is associated with a DNSKEY. The RRset of DNSKEYs are signed with the key signing key (KSK). All others are signed with the zone signing key (ZSK). Trust is conferred from the DNSKEY to the record though the RRSIG: if you trust a DNSKEY, then you can trust the records that are correctly signed by that key.
However, the domain's KSK is signed by itself, making it difficult to trust. The way around this is to walk the domain up to the next/parent zone. To verify that the DNSKEY for example.com is valid, you have to ask the .com authoritative server. This is where the DS record comes into play: it acts as a bridge of trust to the parent level of the DNS.
The DS record is a hash of a DNSKEY. The .com zone stores this record for each zone that has supplied DNSSEC keying information. The DS record is part of an RRset in the zone for .com and therefore has an associated RRSIG. This time, the RRset is signed by the .com ZSK. The .com DNSKEY RRset is signed by the .com KSK.
The ultimate root of trust is the KSK DNSKEY for the DNS root. This key is universally known and published. By following the chain of DNSKEY, DS and RRSIG records to the root, any record can be trusted.
These records are enough to prove the integrity of a resource record, but something more is needed in order to prove that a record does not exist. This is where two additional record types, NSEC and NSEC3, come into play.
If a DNS authoritative server knows there is no record for a specific request, it has a way to respond to such requests. When the name asked for does not exist, it returns a message that has return code (RCODE) NXDOMAIN. When the name exists, but the requested type does not, it returns a NODATA response, i.e., empty answer.
These non-existence answers are unauthenticated and could be forged by a third party just like any other DNS response. However, DNSSEC solves this problem by creating a record type that expresses what names exist, and what types reside at each name. This record is called NSEC. An NSEC can be signed by DNSSEC, and validated up to the root. Typically, NSEC is used to cover gaps between all the domains with records in the zone. In most cases, this effectively doubles the number of records in the zone, but allows an authoritative nameserver to reply with a signed response for any question.
The zone ietf.org. uses NSEC records. Asking for ‘trustee.ietf.org’ would give you a positive answer with an IP address and an RRSIG record. Asking for ‘tustee.ietf.org’ would give you a negative answer ‘there are no name between trustee.ietf.org and www.ietf.org’, with a corresponding RRSIG.
NSEC records require complex and unusual database access to get a list of existing types for a name, which is a source of instability. Also, NSEC makes a proxy DNS DNSSEC system unfeasible since there is no knowledge of the record types exist on the origin.
This frustrates the generation of an NSEC with incomplete knowledge of the zone. NSEC is essentially a statement that says “these types do not exist”. By way of example, if the infrastructure provider does not know that a mail exchanger (MX) record exists at the Canonical Name (CNAME) target and an NSEC is sent that says “MX does not exist”, then (a) a smart resolver might decide later not to make a query for MX since it knows from the NSEC that it “does not exist”; and (b) an attacker can replay that NSEC to answer a query for MX and make the client believe it does not exist when in fact it does.
The invention may best be understood by referring to the following description and accompanying drawings that are used to illustrate embodiments of the invention. In the drawings:
In the following description, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In other instances, well-known circuits, structures and techniques have not been shown in detail in order not to obscure the understanding of this description. Those of ordinary skill in the art, with the included descriptions, will be able to implement appropriate functionality without undue experimentation.
References in the specification to “one embodiment,” “an embodiment,” “an example embodiment,” etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to effect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
In the following description and claims, the terms “coupled” and “connected,” along with their derivatives, may be used. It should be understood that these terms are not intended as synonyms for each other. “Coupled” is used to indicate that two or more elements, which may or may not be in direct physical or electrical contact with each other, co-operate or interact with each other. “Connected” is used to indicate the establishment of communication between two or more elements that are coupled with each other.
A method and apparatus for providing NextSECure (NSEC) records is described. In one embodiment, any negative answer set for a domain name is provided with a set of predefined resource records indicated as existing for the domain name, not including the record type queried, regardless of whether the resource record types actually exist for the domain name.
In one embodiment, for each negative answer, a defined set of record types is set as being present, regardless of whether those record types are actually present, with the exception of the record type that was queried. In one example, all of the record types, with the exception of the record type that was queried, are set as being present. To give an example, if a query for a TXT record at a domain name does not exist, the answer may indicate that the TXT record does not exist but all other types of records (or some smaller subset of records that are meaningful) exist for the domain name, regardless of whether those other types of records actually exist for the domain name. In an embodiment, this approach is not done when the answer was originally a NXDOMAIN. If a resolver follows up and queries for one of the “existing” types that does not exist, the previous false “existing” message can be negated.
The client device 110 makes DNS queries that are received by the DNS proxy system 120 on behalf of the origin DNS server 130. For example, the origin DNS server 130 may be the origin DNS server for the domain example.com. The DNS proxy system 120 may receive the DNS queries for the domain example.com as a result of the name server of the origin DNS server 130 being changed to point to a server of the DNS proxy system 120. The DNS proxy system 120 may be provided as a service and not owned and/or operated by the origin(s) provided by the origin DNS server 130. Although not illustrated in
The DNS proxy system 120 may not have a complete understanding of the zones provided by the origin DNS server 130. For instance, the DNS proxy system 120 may not, at the time of its request, know the type of records available in the DNS records 140 of the origin DNS server 130 for a particular domain name. In the example shown in
The client device 110 transmits a DNS query 115 for a TXT record type for the domain name example.com. This DNS query 115 is received by the DNS proxy system 120. If the DNS proxy system 120 determines that there is not a TXT record type for the domain name example.com, the DNS proxy system 120 generates an NSEC record even without a complete understanding of the zone (e.g., without a complete understanding of which record types exist for the domain example.com). For example, the DNS proxy system 120 generates an NSEC record that indicates that a TXT record does not exist for the domain example.com but all other types of records (or some smaller subset of records that are meaningful) exist for the domain name, regardless of whether those other types of records actually exist for the domain name. For instance, the DNS proxy system 120 sets the bit in the Type Bit Maps field for each RRset (or other predefined set of RRset types) with the exception of the resource record being queried (in this example the TXT record). The DNS proxy system 120 transmits the DNS answer 125 that includes the generated NSEC record to the client device 110.
At operation 310, the DNS proxy system 120 receives a DNS query for a domain name. The DNS query may specify a particular resource record type. Flow then moves to operation 315 where the DNS proxy system 120 determines whether there is a negative answer for the received DNS query. If there is not a negative answer, then flow moves to operation 340 where the DNS proxy system 120 answers in its normal fashion. If there is a negative answer, then flow moves to operation 320. At operation 320, which is optional in some embodiments, the DNS proxy system 120 determines whether the original answer would be a NXDOMAIN record, meaning that the requested domain name was not found. If the original answer would be a NXDOMAIN record, then flow moves to operation 340 and the DNS proxy system 120 answers in its normal fashion. If the original answer is not an NXDOMAIN record (e.g., the domain name exists but the requested resource record type does not), then flow moves to operation 325. At operation 325, the DNS proxy system 120 generates an answer that indicates that the requested record does not exist at the domain name but a set of predefined record types exist at the domain name, regardless of whether those record types actually exist at the domain name.
As illustrated in
The techniques shown in the figures can be implemented using code and data stored and executed on one or more computing devices (e.g., client devices, servers, etc.). Such computing devices store and communicate (internally and/or with other computing devices over a network) code and data using machine-readable media, such as machine-readable storage media (e.g., magnetic disks; optical disks; random access memory; read only memory; flash memory devices; phase-change memory) and machine-readable communication media (e.g., electrical, optical, acoustical or other form of propagated signals—such as carrier waves, infrared signals, digital signals, etc.). In addition, such computing devices typically include a set of one or more processors coupled to one or more other components, such as one or more storage devices, user input/output devices (e.g., a keyboard, a touchscreen, and/or a display), and network connections. The coupling of the set of processors and other components is typically through one or more busses and bridges (also termed as bus controllers). The storage device and signals carrying the network traffic respectively represent one or more machine-readable storage media and machine-readable communication media. Thus, the storage device of a given computing device typically stores code and/or data for execution on the set of one or more processors of that computing device. Of course, one or more parts of an embodiment of the invention may be implemented using different combinations of software, firmware, and/or hardware.
While the flow diagrams in the figures show a particular order of operations performed by certain embodiments of the invention, it should be understood that such order is exemplary (e.g., alternative embodiments may perform the operations in a different order, combine certain operations, overlap certain operations, etc.).
While the invention has been described in terms of several embodiments, those skilled in the art will recognize that the invention is not limited to the embodiments described, can be practiced with modification and alteration within the spirit and scope of the appended claims. The description is thus to be regarded as illustrative instead of limiting.
This application is a continuation of U.S. application Ser. No. 15/148,856, filed May 6, 2016, now U.S. Pat. No. 9,954,840, which claims the benefit of U.S. Provisional Application No. 62/159,211, filed May 8, 2015, which is hereby incorporated by reference.
| Number | Name | Date | Kind |
|---|---|---|---|
| 6119234 | Aziz et al. | Sep 2000 | A |
| 8347100 | Thornewell | Jan 2013 | B1 |
| 8566928 | Dagon | Oct 2013 | B2 |
| 8645700 | Smith et al. | Feb 2014 | B2 |
| 8843643 | Larson | Sep 2014 | B2 |
| 8886750 | Mutz et al. | Nov 2014 | B1 |
| 8943201 | Larson | Jan 2015 | B2 |
| 9088415 | Gagliano | Jul 2015 | B2 |
| 9106699 | Thornewell et al. | Aug 2015 | B2 |
| 9130917 | Smith et al. | Sep 2015 | B2 |
| 9282116 | Rovniaguin | Mar 2016 | B1 |
| 9338182 | Devarapalli et al. | May 2016 | B2 |
| 9596266 | Coleman et al. | Mar 2017 | B1 |
| 9705682 | Kaliski, Jr. et al. | Jul 2017 | B2 |
| 9705851 | Kaliski, Jr. et al. | Jul 2017 | B2 |
| 9723134 | Davis | Aug 2017 | B1 |
| 9860283 | Munger | Jan 2018 | B2 |
| 20020124060 | Jinzaki | Sep 2002 | A1 |
| 20040039798 | Hotz et al. | Feb 2004 | A1 |
| 20040044791 | Pouzzner | Mar 2004 | A1 |
| 20060005014 | Aura | Jan 2006 | A1 |
| 20060020796 | Aura | Jan 2006 | A1 |
| 20060020807 | Aura | Jan 2006 | A1 |
| 20060253612 | Cheshire | Nov 2006 | A1 |
| 20060268802 | Faccin | Nov 2006 | A1 |
| 20070204038 | Majumdar | Aug 2007 | A1 |
| 20070283028 | Gilroy et al. | Dec 2007 | A1 |
| 20080189437 | Halley | Aug 2008 | A1 |
| 20100005146 | Drako et al. | Jan 2010 | A1 |
| 20100106833 | Banerjee et al. | Apr 2010 | A1 |
| 20110035469 | Smith et al. | Feb 2011 | A1 |
| 20110060950 | Waldron | Mar 2011 | A1 |
| 20110153831 | Mutnuru et al. | Jun 2011 | A1 |
| 20120017090 | Gould | Jan 2012 | A1 |
| 20120096166 | Devarapalli | Apr 2012 | A1 |
| 20120117379 | Thornewell et al. | May 2012 | A1 |
| 20120117621 | Kondamuru | May 2012 | A1 |
| 20120124369 | Amenedo | May 2012 | A1 |
| 20120155646 | Seshadri | Jun 2012 | A1 |
| 20120254386 | Smith | Oct 2012 | A1 |
| 20120278626 | Smith | Nov 2012 | A1 |
| 20120284505 | Smith et al. | Nov 2012 | A1 |
| 20120331524 | Mower et al. | Dec 2012 | A1 |
| 20130124685 | Keitel et al. | May 2013 | A1 |
| 20130204978 | Fleischman et al. | Aug 2013 | A1 |
| 20130227672 | Ogg | Aug 2013 | A1 |
| 20130268673 | Graham-Cumming | Oct 2013 | A1 |
| 20140173134 | Choquette et al. | Jun 2014 | A1 |
| 20140222906 | Isler et al. | Aug 2014 | A1 |
| 20140244998 | Amenedo | Aug 2014 | A1 |
| 20140280305 | James et al. | Sep 2014 | A1 |
| 20140344925 | Muthiah | Nov 2014 | A1 |
| 20150058999 | McPherson | Feb 2015 | A1 |
| 20150117624 | Rosenshine | Apr 2015 | A1 |
| 20150295882 | Kaliski, Jr. | Oct 2015 | A1 |
| 20150312100 | Chan et al. | Oct 2015 | A1 |
| 20150381558 | Tuliani | Dec 2015 | A1 |
| 20160036943 | Kish | Feb 2016 | A1 |
| 20160197898 | Hozza et al. | Jul 2016 | A1 |
| 20160261750 | Tubi et al. | Sep 2016 | A1 |
| 20160301656 | Akcin | Oct 2016 | A1 |
| 20160308818 | Torres et al. | Oct 2016 | A1 |
| 20160330174 | Sullivan et al. | Nov 2016 | A1 |
| 20170324724 | Smith et al. | Nov 2017 | A1 |
| 20180007090 | Cao et al. | Jan 2018 | A1 |
| Entry |
|---|
| Andrews (RFC2308, “Negative Caching of DNS Queries (DNS Cache)”, Mar. 1998, pp. 1-19). (Year: 1998). |
| Schlyter “RFC 3845: DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format,” Aug. 2004, pp. 1-7 (Year: 2004). |
| Weiler et al “RFC 4470: Minimally Covering NSEC Records and DNSSEC On-line Signing,” Apr. 2006, pp. 1-8 (Year: 2006). |
| Chandramouli et al “Secure Domain Name System (DNS) Deployment Guide,” NIST Special Publication 800-81-2, Sep. 2013, pp. 1-130, (Year: 2013). |
| Almond C., “DNSSEC Validation and BIND9 Cache”, Feb. 5, 2014, retrieved online from , retrieved on Nov. 13, 2017, 3 pages. |
| Arends R., et al., “DNS Security Introduction and Requirements,” Network Working Group, Request for Comments: 4033, Mar. 2005, 21 pages. |
| Arends R., et al., “Protocol Modifications for the DNS Security Extensions,” Network Working Group, Request for Comments: 4035, Mar. 2005, 53 pages. |
| Arends R., et al., “Resource Records for the DNS Security Extensions,” Network Working Group, Request for Comments: 4034, Mar. 2005, 29 pages. |
| Bau J., et al., “A Security Evaluation of DNSSEC with NSEC 3,” Mar. 2, 2010, 18 pages. |
| Bellis R., “DNS Proxy Implementation Guidelines,” Aug. 2009, Network Working Group, Request for Comments: 5625, retrieved from the Internet , retrieved on Aug. 1, 2016. |
| Chetioui K., et al., “Security of the DNS Protocol: Implementation & Weaknesses Analyses of DNSSEC,” IJCSI International Journal of Computer Science Issues, vol. 9 (2), Mar. 2012, pp. 340-345. |
| Final Office Action from U.S. Appl. No. 15/148,867, dated Feb. 23, 2017, 15 pages. |
| Goldberg S., et al., “NSEC5: Provably Preventing DNSSEC Zone Enumeration,” Oct. 17, 2014, 8 pages. |
| Non-Final Office Action from U.S. Appl. No. 15/148,856 dated Sep. 16, 2016, 20 pages. |
| Non-Final Office Action from U.S. Appl. No. 15/148,867 dated Aug. 11, 2016, 15 pages. |
| Non-Final Office Action from U.S. Appl. No. 15/148,867, dated Nov. 22, 2017, 23 pages. |
| Notice of Allowance from U.S. Appl. No. 15/148,856, dated Feb. 14, 2018, 24 pages. |
| Notice of Allowance from U.S. Appl. No. 15/148,856, dated Mar. 27, 2017, 13 pages. |
| Notice of Allowance from U.S. Appl. No. 15/148,856, dated Sep. 6, 2017, 14 pages. |
| Notice of Allowance from U.S. Appl. No. 15/148,867, dated Mar. 26, 2018, 14 pages. |
| RFC 3845: Schlyter , “DNS Security (DNSSEC) NextSECure (NSEC) RData Format,” Aug. 2004, 7 pages, Request for Comments: 3845. |
| RFC 7129: Giben R., et al., “Authenticated Denial of Existence in DNS,” Feb. 2014, 30 pages, Network Working Group, Request for Comments: 7129. |
| Number | Date | Country | |
|---|---|---|---|
| 20180241733 A1 | Aug 2018 | US |
| Number | Date | Country | |
|---|---|---|---|
| 62159211 | May 2015 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 15148856 | May 2016 | US |
| Child | 15961632 | US |
