UDP Large-Payload Capability Detection for DNSSEC
Summary :
Domain Name System (DNS) is a major target for the network security attacks due to the weak authentication. A security extension DNSSEC has been proposed to introduce the public-key authentication, but it is still on the deployment phase. DNSSEC assumes IP fragmentation allowance for exchange of its messages over UDP large payloads. IP fragments are often blocked on network packet filters for administrative reasons, and the blockage may prevent fast exchange of DNSSEC messages. In this paper, we propose a scheme to detect the UDP large-payload transfer capability between two DNSSEC hosts. The proposed detection scheme does not require new protocol elements of DNS and DNSSEC, so it is applicable by solely modifying the application software and configuration. The scheme allows faster capability detection to probe the end-to-end communication capability between two DNS hosts by transferring a large UDP DNS message. The DNS software can choose the maximum transmission unit (MTU) on the application level using the probed detection results. Implementation test results show that the proposed scheme shortens the detection and transition time on fragment-blocked transports.
- Publication
- IEICE TRANSACTIONS on Information Vol.E91-D No.5 pp.1261-1273
- Publication Date
- 2008/05/01
- Publicized
- Online ISSN
- 1745-1361
- DOI
- 10.1093/ietisy/e91-d.5.1261
- Type of Manuscript
- Special Section PAPER (Special Section on Information and Communication System Security)
- Category
- Network Security
Authors
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Kenji RIKITAKE, Koji NAKAO, Shinji SHIMOJO, Hiroki NOGAWA, "UDP Large-Payload Capability Detection for DNSSEC" in IEICE TRANSACTIONS on Information,
vol. E91-D, no. 5, pp. 1261-1273, May 2008, doi: 10.1093/ietisy/e91-d.5.1261.
Abstract: Domain Name System (DNS) is a major target for the network security attacks due to the weak authentication. A security extension DNSSEC has been proposed to introduce the public-key authentication, but it is still on the deployment phase. DNSSEC assumes IP fragmentation allowance for exchange of its messages over UDP large payloads. IP fragments are often blocked on network packet filters for administrative reasons, and the blockage may prevent fast exchange of DNSSEC messages. In this paper, we propose a scheme to detect the UDP large-payload transfer capability between two DNSSEC hosts. The proposed detection scheme does not require new protocol elements of DNS and DNSSEC, so it is applicable by solely modifying the application software and configuration. The scheme allows faster capability detection to probe the end-to-end communication capability between two DNS hosts by transferring a large UDP DNS message. The DNS software can choose the maximum transmission unit (MTU) on the application level using the probed detection results. Implementation test results show that the proposed scheme shortens the detection and transition time on fragment-blocked transports.
URL: https://globals.ieice.org/en_transactions/information/10.1093/ietisy/e91-d.5.1261/_p
Copy
@ARTICLE{e91-d_5_1261,
author={Kenji RIKITAKE, Koji NAKAO, Shinji SHIMOJO, Hiroki NOGAWA, },
journal={IEICE TRANSACTIONS on Information},
title={UDP Large-Payload Capability Detection for DNSSEC},
year={2008},
volume={E91-D},
number={5},
pages={1261-1273},
abstract={Domain Name System (DNS) is a major target for the network security attacks due to the weak authentication. A security extension DNSSEC has been proposed to introduce the public-key authentication, but it is still on the deployment phase. DNSSEC assumes IP fragmentation allowance for exchange of its messages over UDP large payloads. IP fragments are often blocked on network packet filters for administrative reasons, and the blockage may prevent fast exchange of DNSSEC messages. In this paper, we propose a scheme to detect the UDP large-payload transfer capability between two DNSSEC hosts. The proposed detection scheme does not require new protocol elements of DNS and DNSSEC, so it is applicable by solely modifying the application software and configuration. The scheme allows faster capability detection to probe the end-to-end communication capability between two DNS hosts by transferring a large UDP DNS message. The DNS software can choose the maximum transmission unit (MTU) on the application level using the probed detection results. Implementation test results show that the proposed scheme shortens the detection and transition time on fragment-blocked transports.},
keywords={},
doi={10.1093/ietisy/e91-d.5.1261},
ISSN={1745-1361},
month={May},}
Copy
TY - JOUR
TI - UDP Large-Payload Capability Detection for DNSSEC
T2 - IEICE TRANSACTIONS on Information
SP - 1261
EP - 1273
AU - Kenji RIKITAKE
AU - Koji NAKAO
AU - Shinji SHIMOJO
AU - Hiroki NOGAWA
PY - 2008
DO - 10.1093/ietisy/e91-d.5.1261
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E91-D
IS - 5
JA - IEICE TRANSACTIONS on Information
Y1 - May 2008
AB - Domain Name System (DNS) is a major target for the network security attacks due to the weak authentication. A security extension DNSSEC has been proposed to introduce the public-key authentication, but it is still on the deployment phase. DNSSEC assumes IP fragmentation allowance for exchange of its messages over UDP large payloads. IP fragments are often blocked on network packet filters for administrative reasons, and the blockage may prevent fast exchange of DNSSEC messages. In this paper, we propose a scheme to detect the UDP large-payload transfer capability between two DNSSEC hosts. The proposed detection scheme does not require new protocol elements of DNS and DNSSEC, so it is applicable by solely modifying the application software and configuration. The scheme allows faster capability detection to probe the end-to-end communication capability between two DNS hosts by transferring a large UDP DNS message. The DNS software can choose the maximum transmission unit (MTU) on the application level using the probed detection results. Implementation test results show that the proposed scheme shortens the detection and transition time on fragment-blocked transports.
ER -
FlyerIEICE has prepared a flyer regarding multilingual services. Please use the one in your native language.
English
