JP2011176468A - Name resolution device, name resolution method, and name resolution program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To efficiently perform inquiry for name resolution. <P>SOLUTION: This name resolution device 100 includes: a cache part 103 for caching a response content to inquiry to a name management system for managing a hierarchically-configured name space; a verification part 105 for verifying validity of the response content to the inquiry for name resolution using first verification information obtained from a server of a hierarchy of an inquiry destination of the inquiry, verifying the validity of the first verification information using second verification information obtained by inquiry to servers of the respective hierarchies from the highest hierarchy of the name management system to the upper hierarchy of the hierarchy of the inquiry destination of the inquiry, and storing the first verification information of which the validity has been verified in the cache part 103 to be reused; and a cache control part 104 for controlling the first verification information to be left in the cache part 103 when creating an empty region in the cache part. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a name resolution device, a name resolution method, and a name resolution program.

  DNSSEC (DNS Security Extensions) is known as an extension specification for guaranteeing the validity of a response in a DNS (Domain Name System) that is a name management system that manages a hierarchically configured name space. In DNSSEC, an electronic signature is used to guarantee validity.

  A DNS configuration when DNSSEC is enabled will be described with reference to FIG. FIG. 18 illustrates the client device 10, the DNS cache server 20, the DNS server 30, the DNS server 40, and the DNS server 50. The client device 10 obtains an IP address from the domain name by name resolution and uses various services on the network.

  The DNS cache server 20 relays the name resolution between the client device 10 and the DNS servers 30 to 50, and stores the response from the DNS server 30 to 50 as a query result cache 21 in response to the query from the client device 10. To do. When the response to the inquiry from the client device 10 is included in the inquiry result cache 21, the DNS cache server 20 returns the inquiry response from the inquiry result cache 21 instead of transferring the inquiry to the DNS servers 30 to 50. Obtain and proxy response.

  As described above, the DNS cache server 20 stores the response from the DNS servers 30 to 50 in response to the inquiry from the client device 10 as the inquiry result cache 21, and performs a proxy response using the response to the DNS server 30 to 50. It is possible to reduce the load on the network and shorten the response time to an inquiry.

  The DNS server 30 is a DNS server that manages a route, the DNS 40 is a DNS server that manages a jp zone under the route, and the DNS 50 is an example. It is a DNS server that manages the jp zone. In addition to the conventional resource records for name resolution, the DNS servers 30 to 50 have a resource record that holds a signature for guaranteeing the validity of each resource record and a public key corresponding to the secret key used for the signature. A resource record holding a key and a resource record holding information for guaranteeing the validity of the public key of the subordinate zone are stored.

  In DNSSEC, KSK (Key Signing Key), which is a public key corresponding to a secret key used for signing a resource record holding a public key, and a public key corresponding to a secret key used for signing other resource records Two types of public keys called ZSK (Zone Signing Key) are prepared for each zone. In the following, KSK of each zone is expressed by adding KSK to the end of the name of the zone, and ZSK of each zone is expressed by adding ZSK to the end of the name of the zone.

  The DNS 50 verifies the A resource record 51a that holds the IP address corresponding to the domain name “www.example.jp”, the RRSIG resource record 51b that holds the signature of the A resource record 51a, and the signature of the A resource record 51a Which is the public key used in the example. jp. A DNSKEY resource record 52a that holds ZSK, an RRSIG resource record 52b that holds a signature of the DNSKEY resource record 52a, and an example key that is a public key used for verification of the signature of the DNSKEY resource record 52a. jp. The DNSKEY resource record 53a that holds KSK and the RRSIG resource record 53b that holds the signature of the DNSKEY resource record 53a are stored.

  DNS40 is an example. jp. DS resource record 41a holding the hash of KSK, RRSIG resource record 41b holding the signature of DS resource record 41a, and jp. Which is a public key used for verifying the signature of DS resource record 41a. A DNSKEY resource record 42a holding ZSK, an RRSIG resource record 42b holding a signature of the DNSKEY resource record 42a, and a public key used for verifying the signature of the DNSKEY resource record 42a. A DNSKEY resource record 43a that holds KSK and an RRSIG resource record 43b that holds the signature of the DNSKEY resource record 53a are stored.

  The DNS server 30 is jp. DS resource record 31a that holds the KSK hash, RRSIG resource record 31b that holds the signature of the DS resource record 31a, and DNSKEY resource record that holds the root ZSK that is the public key used to verify the signature of the DS resource record 31a 32a, the RRSIG resource record 32b that holds the signature of the DNSKEY resource record 32a, the DNSKEY resource record 33a that holds the root KSK that is the public key used for verifying the signature of the DNSKEY resource record 32a, and the signature of the DNSKEY resource record 33a Is stored with the RRSIG resource record 33b.

  Thus, by holding the signature of the resource record and the public key for verifying it as the resource record, the validity of each resource record can be guaranteed. For example, the validity of the A resource record 51a is guaranteed by the signature held in the RRSIG resource record 51b and the public key held in the DNSKEY resource record 52a. The validity of the DNSKEY resource record 52a is guaranteed by the signature held in the RRSIG resource record 52b and the public key held in the DNSKEY resource record 53a.

  The validity of the DNSKEY resource record 53a is guaranteed by the DS resource record 41a of the DNS server 40 in addition to the signature held in the DNSKEY resource record 53b. The validity of the DS resource record 41a is guaranteed by the signature held in the RRSIG resource record 41b and the public key held in the DNSKEY resource record 42a. The validity of the DNSKEY resource record 42a is guaranteed by the signature held in the RRSIG resource record 42b and the public key held in the DNSKEY resource record 43a.

  The validity of the DNSKEY resource record 43a is guaranteed by the DS resource record 31a of the DNS server 30 in addition to the signature held in the DNSKEY resource record 43b. The validity of the DS resource record 31a is guaranteed by the signature held in the RRSIG resource record 31b and the public key held in the DNSKEY resource record 32a. The validity of the DNSKEY resource record 32a is guaranteed by the signature held in the RRSIG resource record 32b and the public key held in the DNSKEY resource record 33a.

  Further, the validity of the DNSKEY resource record 33a is guaranteed by the hash 22 of the root KSK distributed in advance to the DNS cache server 20 in addition to the signature held in the DNSKEY resource record 33b. Thus, in DNSSEC, the validity of the resource record in each zone is guaranteed by the public key stored in the DNSKEY resource record in the same zone, and the validity of the DNSKEY resource record in the lower zone is set in the upper zone. A chain of trust assured by the DS resource record is constructed (see Non-Patent Documents 1 to 3).

  Next, a processing procedure for obtaining an IP address from a domain name “www.example.jp” in the configuration shown in FIG. 18 will be described with reference to FIG. It is assumed that the query result cache 21 held by the DNS cache server 20 is empty.

  In order to obtain an IP address corresponding to the domain name “www.example.jp”, the client device 10 sends an A resource record corresponding to “www.example.jp” to the DNS cache server 20 that is known in advance. An inquiry is made (step S10).

  The DNS cache server 20 that has received the inquiry first inquires of the DNS server 30 that is known in advance for an A resource record corresponding to “www.example.jp” (step S11). The DNS server 30 refers to an NS resource record (not shown) and responds that it should make an inquiry to the DNS server 40 having the authority of the jp zone (step S12).

  Subsequently, the DNS cache server 20 inquires of the DNS server 40 indicated in the response for an A resource record corresponding to “www.example.jp” (step S13). The DNS server 40 refers to the NS resource record (not shown), and the example. It responds that it should inquire to the DNS server 50 having the authority of the jp zone (step S14).

  Subsequently, the DNS cache server 20 inquires of the DNS server 50 indicated in the response for an A resource record corresponding to “www.example.jp” (step S15). The DNS server 50 includes the content of the A resource record 51a corresponding to “www.example.jp” (“192.168.100.1”) and the content of the RRSIG resource record 51b holding the signature of the A resource record 51a ( "ZZZ") is returned (step S16).

  Upon receiving the response, the DNS cache server 20 sends an example.code to the DNS server 50 in order to verify the response content. Query DNSKEY of jp zone (step S17). The DNS server 50 stores the contents of the DNSKEY resource record 52a (example.jp.ZSK), the contents of the DNSKEY resource record 53a (example.jp.KSK), and the contents of the RRSIG resource record that holds the signature of those resource records. A response is made (step S18).

  The DNS cache server 20 sends an example.example.log to the DNS server 30 in order to verify the validity of the responded KSK. Inquires about the DS resource record of the jp zone (step S19). The DNS server 30 refers to an NS resource record (not shown) and responds that it should make an inquiry to the DNS server 40 having the authority of the jp zone (step S20).

  Subsequently, the DNS cache server 20 sends an example. Inquires about the DS resource record of the jp zone (step S21). The DNS server 40 responds with the contents (“aaa”) of the DS resource record 41a and the contents (“XXX”) of the RRSIG resource record 41b holding the signature of the DS resource record 41a (step S22).

  Upon receiving the response, the DNS cache server 20 queries the DNS server 40 for the DNS key of the jp zone in order to verify the response content (step S23). The DNS server 40 responds with the contents of the DNSKEY resource record 42a (jp.ZSK), the contents of the DNSKEY resource record 43a (jp.KSK), and the contents of the RRSIG resource record that holds the signatures of those resource records (steps). S24).

  The DNS cache server 20 inquires the DNS server 30 about the DS resource record of the jp zone in order to verify the validity of the responded KSK (step S25). The DNS server 30 responds with the content (“bbb”) of the DS resource record 31a and the content (“VVV”) of the RRSIG resource record 31b holding the signature of the DS resource record 31a (step S26).

  The DNS cache server 20 that has received the response queries the DNS server 30 for the DNSKEY of the root zone in order to verify the response content (step S27). The DNS server 30 responds with the contents of the DNSKEY resource record 32a (root ZSK), the contents of the DNSKEY resource record 33a (root KSK), and the contents of the RRSIG resource record holding the signatures of those resource records (step S28). .

  The DNS cache server 20 verifies the validity of the A resource record 51a in the example.example.com included in the DNSKEY resource record 52a. jp. While verifying using ZSK, the validity of the DNSKEY resource record 52a is verified in the example.example.com included in the DNSKEY resource record 53a. jp. Verify using KSK. Further, the DNS cache server 20 recursively inquires about the validity of the DNSKEY resource record 53a from the DNS server 30 in the root zone to the DNS server 40 that is higher than the DNS server 50 that acquired the A resource record 51a. Validate based on the contents of the acquired resource record.

  If all verifications are successful, the DNS cache server 20 responds to the client device 10 with the contents of the A resource record 51a (step S29).

“DNS Security Introduction and Requirements”, [online], [searched on February 12, 2010], Internet <URL: http://www.ietf.org/rfc/rfc4033.txt> “Resource Records for the DNS Security Extensions”, [online], [searched on February 12, 2010], Internet <URL: http://www.ietf.org/rfc/rfc4034.txt> “Protocol Modifications for the DNS Security Extensions”, [online], [searched on February 12, 2010], Internet <URL: http://www.ietf.org/rfc/rfc4035.txt>

  When DNSSEC is validated for DNS, the validity of the response is guaranteed, but the efficiency of the inquiry may be reduced. One reason for this is that, as in steps S19 to S28 in FIG. 19, it is necessary to make a plurality of inquiries to the upper DNS server in order to verify the validity of DNSKEY. Another reason is that, in addition to the conventional resource records for name resolution, resource records used in DNSSEC such as DNSKEY and DS are cached in the DNS cache server. This is because there are many cases where the above occurs.

  The present invention has been made in view of the above, and an object of the present invention is to provide a name resolution device, a name resolution method, and a name resolution program capable of efficiently performing an inquiry for name resolution.

  In order to solve the above-described problems and achieve the object, a name resolution device according to the present invention includes a cache unit that caches response contents to an inquiry to a name management system that manages a hierarchically configured name space. The name resolution device verifies the validity of the response content to the query for name resolution using the first verification information obtained from the server of the inquiry destination hierarchy of the query, and The second verification information obtained by inquiring the server of each hierarchy from the highest hierarchy of the name management system to the higher hierarchy of the inquiry destination hierarchy is used. The verification unit that verifies the first verification information that has been verified and stores the first verification information in the cache unit, and creates a free area in the cache unit. The case, characterized in that it comprises a cache control unit for controlling so as to leave the first verification information in the cache unit.

  The name resolution method according to the present invention is a name resolution method executed by a name resolution device having a cache unit that caches response contents to an inquiry to a name management system that manages a hierarchically configured name space. Then, the name resolution device verifies the validity of the response content to the query for name resolution using the first verification information obtained from the server of the inquiry destination hierarchy of the query. And the name resolution device determines the validity of the first verification information for servers in each hierarchy from the highest hierarchy of the name management system to a hierarchy higher than the inquiry inquiry hierarchy. The second verification step for verifying using the second verification information obtained by the inquiry, and the name resolution device has been verified for validity in the second verification step. A storage step of storing the first verification information in the cache unit for reuse; and when the name resolution device creates a free area in the cache unit, the first verification information is stored in the cache unit. And a cache release process for controlling to remain in the system.

  A name resolution program according to the present invention causes a computer to function as a name resolution device that executes the above-described name resolution method.

  The name resolution device, the name resolution method, and the name resolution program according to the present invention have an effect that a query for name resolution can be efficiently performed.

FIG. 1 is a diagram illustrating the configuration of the name resolution device according to the first embodiment. FIG. 2 is a diagram illustrating a processing procedure of name resolution processing according to the first embodiment. FIG. 3 is a diagram illustrating a processing procedure of cache release processing according to the first embodiment. FIG. 4 is a diagram illustrating the configuration of the name resolution device according to the second embodiment. FIG. 5 is a diagram illustrating an example of depth information. FIG. 6 is a diagram illustrating another example of depth information. FIG. 7 is a diagram illustrating a processing procedure of name resolution processing according to the second embodiment. FIG. 8 is a diagram illustrating a processing procedure of cache release processing according to the second embodiment. FIG. 9 is a diagram illustrating the configuration of the name resolution device according to the third embodiment. FIG. 10 is a diagram illustrating an example of the frequency information. FIG. 11 is a diagram illustrating a processing procedure of name resolution processing according to the third embodiment. FIG. 12 is a diagram illustrating a processing procedure of cache release processing according to the third embodiment. FIG. 13 is a diagram illustrating the configuration of the name resolution device according to the fourth embodiment. FIG. 14 is a diagram illustrating an example of the frequency information. FIG. 15 is a diagram illustrating a processing procedure of name resolution processing according to the fourth embodiment. FIG. 16 is a diagram illustrating a processing procedure of cache release processing according to the fourth embodiment. FIG. 17 is a functional block diagram illustrating a computer that executes a name resolution program. FIG. 18 is a functional block diagram illustrating an example of a DNS configuration when DNSSEC is enabled. FIG. 19 is a functional block diagram illustrating an example of a name resolution processing procedure when DNSSEC is enabled. FIG. 20 is a functional block diagram illustrating an example of a name resolution processing procedure when DNSKEY is cached.

  Embodiments of a name resolution device, a name resolution method, and a name resolution program according to the present invention will be described below in detail with reference to the drawings. In the following example, DNS is shown as an example of a name management system that manages a hierarchically configured namespace, but a hierarchically configured namespace such as LDAP (Lightweight Directory Access Protocol) is managed. The present invention can be applied to other name management systems.

  The name resolution device 100 according to the present embodiment is a device that makes an inquiry to the DNS 90 to resolve a name. In addition to the conventional resource records for name resolution, among the resource records added in DNSSEC, Cache only verified DNSKEY resource records. Then, the name resolution device 100 performs cache control so that the DNSKEY resource record remains in the cache as long as possible.

  By preferentially caching verified DNSKEY resource records in this way, even when DNSSEC is enabled, the time until completion of name resolution is almost the same as when DNSSEC is not enabled. Can do.

  For example, even if the A resource record is not cached, if the verified DNSKEY resource record of the zone to which the A resource record belongs is cached, the DS resource record for verifying the DNSKEY as shown in FIG. The process of recursively inquiring the DNS server of the higher zone etc. (steps S19 to S27 in FIG. 19) is unnecessary, so that DNSSEC enables the time to complete name resolution and the amount of information exchanged. It is almost equivalent to the case where it is not done.

  Also, unlike the A resource record that exists for each network interface in the zone, there are relatively few DNSKEY resource records (for example, about two) for each zone. The proportion of records in the cache area is relatively small, and cache misses do not increase.

  The name resolution device 100 may be a device that relays an inquiry to the DNS, such as the DNS cache server 20 shown in FIG. 18, or has authority over the device such as the DNS cache server 20. It may be a client device that makes an inquiry directly to the DNS server that it has. Further, in the following description, for the sake of simplicity, the effective period such as TTL (Time To Live) is not considered.

  Next, the configuration of the name resolution device 100 according to the present embodiment will be described with reference to FIG. As illustrated in FIG. 1, the name resolution device 100 includes a name resolution unit 101, an inquiry unit 102, a cache unit 103, a cache control unit 104, and a verification unit 105. The name resolution unit 101 generates a query for name resolution and analyzes a response to the query.

  The inquiry unit 102 transmits the inquiry generated by the name resolution unit 101 to the DNS 90, passes the response returned from the DNS 90 to the name resolution unit 101 and stores it in the cache unit 103. When a response corresponding to the query newly generated by the name resolution unit 101 is stored in the cache unit 103, the query unit 102 does not transmit the query to the DNS 90, but returns a response corresponding to the query. Obtained from the cache unit 103 and delivered to the name resolution unit 101.

  When DNSSEC is enabled in the inquiry destination zone, the inquiry unit 102 causes the verification unit 105 to verify the validity of the response corresponding to the inquiry generated by the name resolution unit 101, and the validity has been successfully verified. Only in this case, the response is transferred to the name resolution unit 101 and stored in the cache unit 103. By storing the response whose validity has been confirmed in the cache unit 103, it is not necessary to confirm the validity each time the response acquired from the cache unit 103 is used. Whether or not DNSSEC is enabled in the inquiry destination zone can be determined from the value of a predetermined bit included in the response, the presence or absence of an RRSIG resource record, and the like.

  The cache unit 103 stores a response to the query for name resolution and the DNSKEY resource record whose validity is verified by the verification unit 105. The cache control unit 104 searches for information stored in the cache unit 103 and stores information in the cache unit 103 in response to requests from the inquiry unit 102 and the verification unit 105. In addition, the cache control unit 104 checks the usage amount of the cache unit 103 when storing new information in the cache unit 103, and stores the new information when the usage amount exceeds the threshold. In order to secure this, the information stored in the cache unit 103 is deleted. Note that the information to be deleted is preferably as small as possible on condition that an area for storing new information is secured.

  When deleting information stored in the cache unit 103, the cache control unit 104 preferentially leaves the stored DNSKEY resource record and deletes other types of resource records. Not only the timing of storing new information in the cache unit 103 but also periodically checking the usage amount of the cache unit 103, and if the usage amount exceeds the threshold value, it is stored in the cache unit 103. The cache control unit 104 may be configured to delete information.

  In addition, the threshold regarding the usage amount and the amount of information stored in the cache unit 103 can be appropriately determined. When new information is stored in the cache unit 103 and periodically, the usage of the cache unit 103 is used. The value may be different when checking the amount. For example, the threshold for the usage amount when storing new information in the cache unit 103 is set to a value indicating that the cache is fully used in order to minimize the amount of information lost due to the release. In order to prevent the increase in load due to the creation of a free space each time new information is stored, a certain amount of free space is prepared as a threshold for the usage amount when the usage amount of the cache unit 103 is confirmed. The value may be set to about 90% of the cache capacity so that it can be done.

  The verification unit 105 confirms the validity of a response to an inquiry for name resolution performed on a zone where DNSSEC is enabled. Specifically, the verification unit 105 causes the inquiry unit 102 to acquire the DNSKEY resource record of the zone in which the inquiry is made, and uses the public key (ZSK) included in the acquired DNSKEY resource record to respond to the resource. Validate record signature. Further, the verification unit 105 verifies the signature of the DNSKEY resource record by using the public key (KSK) included in the acquired DNSKEY resource record, and further checks the upper level of the zone where the inquiry is made from the highest zone. The query unit 102 is recursively inquired up to the zone, and the chain of trust including the public key (KSK) included in the DNSKEY resource record is verified using the acquired DS resource record or the like.

  When the validity of the DNSKEY resource record is verified, the verification unit 105 causes the cache unit 103 to store the DNSKEY resource record whose validity has been confirmed. When the validity of the response to the name resolution inquiry made for the zone where SSEC is enabled is newly verified, the DNSKEY resource record of the zone where the inquiry is made is stored in the cache unit 103. If so, the verification unit 105 verifies the signature of the returned resource record using the public key (ZSK) included in the DNSKEY resource record stored in the cache unit 103, and acquires a DS resource record and the like. The query unit 102 is not allowed to make a recursive query to do so.

  In this way, the DNSKEY resource record whose validity has been verified is stored in the cache unit 103 and is preferentially left in the cache unit 103, so that recursions to upper zones such as steps S19 to S28 in FIG. Generation of inquiries can be suppressed, the time to completion of name resolution can be shortened, and the amount of information exchanged can be reduced.

  Next, a processing procedure of name resolution processing by the name resolution device 100 will be described with reference to FIG. As shown in FIG. 2, when the name resolution unit 101 generates a query for name resolution and requests the query unit 102 to send it (step S101), the cache control unit 104 is a response corresponding to the query. A resource record is retrieved from the cache unit 103 (step S102). If there is a corresponding resource record (Yes at step S103), the inquiry unit 102 passes the retrieved resource record to the name resolution unit 101, and the name resolution unit 101 analyzes the contents of the delivered resource record. (Step S113).

  On the other hand, when the corresponding resource record does not exist in the cache unit 103 (No at Step S103), the inquiry unit 102 transmits an inquiry to the DNS 90 and receives a response (Step S104). If DNSSEC is not valid (No at Step S105), the cache control unit 104 stores the returned resource record in the cache unit 103 (Step S112). Then, the inquiry unit 102 delivers the returned resource record to the name resolution unit 101, and the name resolution unit 101 analyzes the contents of the delivered resource record (step S113).

  If DNSSEC is valid (Yes at step S105), the cache control unit 104 searches the cache unit 103 for a DNSKEY resource record of the zone for which an inquiry has been made (step S106). Here, when the corresponding DNSKEY resource record exists (Yes at Step S107), the verification unit 105 verifies the validity of the resource record obtained at Step S104 using the DNSKEY resource record (Step S111).

  If the validity verification is successful, the cache control unit 104 stores the resource record (except RRSIG) obtained in step S104 in the cache unit 103 (step S112). Then, the inquiry unit 102 delivers the resource record (except RRSIG) obtained in step S104 to the name resolution unit 101, and the name resolution unit 101 analyzes the contents of the delivered resource record (step S113). .

  On the other hand, when the corresponding DNSKEY resource record does not exist in the cache unit 103 (No at Step S107), the inquiry unit 102 acquires the DNSKEY resource record of the zone inquired at Step S104 (Step S108). Further, the inquiry unit 102 recursively inquires from the highest zone to the upper zone of the zone inquired in step S104 to obtain the DS resource record and the DNSKEY resource record, and the obtained DS Using the resource record or the like, the verification unit 105 verifies the validity of the DNSKEY resource record acquired in step S108 (step S109). In this recursive inquiry, when a DNSKEY resource record to be acquired exists in the cache unit 103, the inquiry unit 102 acquires the DNSKEY resource record from the cache unit 103 instead of acquiring it from the DNS 90.

  If the validity verification is successful, the cache control unit 104 stores the DNSKEY resource record (excluding RRSIG) obtained in step S108 in the cache unit 103 (step S110). Subsequently, the verification unit 105 verifies the validity of the resource record obtained in step S104 using the DNSKEY resource record whose validity has been verified (step S111).

  If the validity verification is successful, the cache control unit 104 stores the resource record (except RRSIG) obtained in step S104 in the cache unit 103 (step S112). Then, the inquiry unit 102 delivers the resource record (except RRSIG) obtained in step S104 to the name resolution unit 101, and the name resolution unit 101 analyzes the contents of the delivered resource record (step S113). .

  Next, with reference to FIG. 3, a description will be given of a processing procedure of a cache release process performed by the cache control unit 104 at a timing when new information is stored in the cache unit 103 or at a regular timing. The cache control unit 104 confirms the usage amount of the cache unit 103 (step S201). If the usage amount does not exceed the threshold (No at step S202), the cache release process is terminated without performing any particular processing.

  On the other hand, if the usage amount exceeds the threshold value (Yes in step S202), the cache control unit 104 deletes the resource record stored in the cache unit 103 while preferentially leaving the DNSKEY resource record, and sets the area. Release (step S203).

  As described above, in this embodiment, the verified DNSKEY resource record is preferentially cached. Therefore, even when DNSSEC is enabled, it is almost the same as when DNSSEC is not enabled. Name resolution can be performed efficiently.

  In this embodiment, an example will be described in which a part of the DNSKEY resource record that is cached is deleted due to a problem such as cache capacity. In the following description, the same parts as those already described are denoted by the same reference numerals as those already described, and redundant description is omitted.

  First, the configuration of the name resolution device 200 according to the present embodiment will be described with reference to FIG. As illustrated in FIG. 4, the name resolution device 200 includes a name resolution unit 101, an inquiry unit 102, a cache unit 103, a cache control unit 204, a verification unit 105, and a depth information storage unit 208.

  The depth information storage unit 208 holds the depth of the zone hierarchy corresponding to each DNSKEY resource record stored in the cache unit 103 as depth information. An example of the depth information is shown in FIG. As illustrated in the example of FIG. 5, the depth information includes items such as a zone and a depth. The zone item is an item in which the name of the zone corresponding to the DNSKEY resource record is stored. The depth item is an item in which a value indicating what level the zone corresponding to the DNSKEY resource record corresponds to from the root is stored.

  In the first line of the depth information shown in FIG. 5, “tokyo.kanto.example.jp.” Is set in the zone item, and “4” is set in the depth item. This indicates that a DNSKEY resource record of a zone named “tokyo.kanto.example.jp.” Is stored in the cache unit 103, and that zone corresponds to the fourth layer when viewed from the root.

  Note that the depth information may include other attribute information such as the storage location of the DNSKEY resource record in the cache unit 103. Further, the depth information may be configured in another format such as a list (see FIG. 6) in which zones of the same depth are linked.

  The cache control unit 204 searches for information stored in the cache unit 103 and stores information in the cache unit 103 in response to requests from the inquiry unit 102 and the verification unit 105. When storing a new DNSKEY resource record in the cache unit 103, the cache control unit 204 acquires the depth of the zone corresponding to the DNSKEY resource record, associates the obtained depth with the name of the zone, and the depth information storage unit Record in 208.

  The depth of the zone can be obtained from the number of labels included in the name of the zone. For example, since the name of the zone “tokyo.kanto.example.jp.” Includes four labels “tokyo”, “kanto”, “example”, and “jp”, the depth of this zone is “4”. " Note that the zone depth may be acquired from the depth of the hierarchy that is recursively inquired to verify the validity of the DNSKEY resource record.

  In addition, when storing new information in the cache unit 103, the cache control unit 204 checks the usage amount of the cache unit 103, and if the usage amount exceeds a threshold, an area for storing new information In order to secure this, the information stored in the cache unit 103 is deleted. Note that the information to be deleted is preferably as small as possible on condition that an area for storing new information is secured.

  When deleting the information stored in the cache unit 103, the cache control unit 204 preferentially leaves the stored DNSKEY resource record and deletes other types of resource records. If the usage amount of the cache unit 103 exceeds the threshold even if other types of resource records are deleted, the cache control unit 204 refers to the depth information storage unit 208 to determine the depth value. The DNSKEY resource record for the small zone is deleted from the cache unit 103, and the zone information corresponding to the deleted DNSKEY resource record is deleted from the depth information storage unit 208.

  Here, “deleting a DNSKEY resource record in a zone having a small depth value” may be, for example, deleting a DNSKEY resource record in a zone having the smallest depth value or a zone having the largest depth value. Other DNSKEY resource records may be deleted while leaving a DNSKEY resource record, a DNSKEY resource record in a zone whose depth value is smaller than a predetermined value may be deleted, and the usage amount of the cache unit 103 may be a predetermined value. The DNSKEY resource record may be deleted in ascending order of the depth value until it falls below.

  Even if the DNSKEY resource record in the zone having a small depth value is deleted from the cache unit 103, since the hierarchy from the root is small, the validity can be verified at a low cost. For example, to verify the validity of a DNSKEY resource record in a zone of depth 4 having the name “tokyo.kanto.example.jp.”, The root, “jp.”, “Example.jp.”, “Kanto. DS resource records and the like need to be acquired from the four hierarchies “example.jp.”, but in order to verify the validity of the DNSKEY resource record in the zone with the depth “1. A DS resource record or the like may be acquired from one hierarchy.

  For this reason, by preferentially leaving the DNSKEY resource record in a zone with a deep hierarchy, the number of inquiries required for verifying the validity of the DNSKEY resource record can be minimized, and the time to completion of name resolution can be shortened. it can.

  Not only the timing of storing new information in the cache unit 103 but also periodically checking the usage amount of the cache unit 103, and if the usage amount exceeds the threshold value, it is stored in the cache unit 103. The cache control unit 204 may be configured to delete information. In addition, the threshold regarding the usage amount and the amount of information stored in the cache unit 103 can be appropriately determined. When new information is stored in the cache unit 103 and periodically, the usage of the cache unit 103 is used. The value may be different when checking the amount. Further, up to which level the DNSKEY resource record is deleted from the cache unit 103 may be determined in advance, or may be dynamically determined so that the number of deleted DNSKEY resource records is minimized.

  Next, a processing procedure of name resolution processing by the name resolution device 200 will be described with reference to FIG. As shown in FIG. 7, when the name resolution unit 101 generates a query for name resolution and requests the query unit 102 to send it (step S301), the cache control unit 204 is a response corresponding to the query. A resource record is retrieved from the cache unit 103 (step S302). Here, when the corresponding resource record exists (Yes at Step S303), the inquiry unit 102 passes the retrieved resource record to the name resolution unit 101, and the name resolution unit 101 analyzes the contents of the delivered resource record. (Step S314).

  On the other hand, when the corresponding resource record does not exist in the cache unit 103 (No at Step S303), the inquiry unit 102 transmits an inquiry to the DNS 90 and receives a response (Step S304). If DNSSEC is not valid (No at Step S305), the cache control unit 204 stores the returned resource record in the cache unit 103 (Step S313). Then, the inquiry unit 102 delivers the responded resource record to the name resolution unit 101, and the name resolution unit 101 analyzes the content of the delivered resource record (step S314).

  When DNSSEC is valid (Yes at step S305), the cache control unit 204 searches the cache unit 103 for a DNSKEY resource record of the zone for which an inquiry has been made (step S306). If there is a corresponding DNSKEY resource record (Yes at Step S307), the verification unit 105 verifies the validity of the resource record obtained at Step S304 using the DNSKEY resource record (Step S312).

  If the validity verification is successful, the cache control unit 204 causes the cache unit 103 to store the resource record obtained in step S304 (except for RRSIG) (step S313). Then, the inquiry unit 102 delivers the resource record (except RRSIG) obtained in step S304 to the name resolution unit 101, and the name resolution unit 101 analyzes the contents of the delivered resource record (step S314). .

  On the other hand, when the corresponding DNSKEY resource record does not exist in the cache unit 103 (No at Step S307), the inquiry unit 102 acquires the DNSKEY resource record of the zone inquired at Step S304 (Step S308). Further, the inquiry unit 102 recursively inquires from the highest zone to a zone higher than the zone inquired in step S304 to obtain the DS resource record and the DNSKEY resource record, and the obtained DS Using the resource record or the like, the verification unit 105 verifies the validity of the DNSKEY resource record acquired in step S308 (step S309). In this recursive inquiry, when a DNSKEY resource record to be acquired exists in the cache unit 103, the inquiry unit 102 acquires the DNSKEY resource record from the cache unit 103 instead of acquiring it from the DNS 90.

  If the validity verification is successful, the cache control unit 204 stores the DNSKEY resource record (excluding RRSIG) obtained in step S308 in the cache unit 103 (step S310) and the DNSKEY resource. The depth of the zone from which the record was acquired is recorded in the depth information storage unit 208 (step S311). Subsequently, the verification unit 105 verifies the validity of the resource record obtained in step S304 using the DNSKEY resource record whose validity is verified (step S312).

  If the validity verification is successful, the cache control unit 204 causes the cache unit 103 to store the resource record obtained in step S304 (except for RRSIG) (step S313). Then, the inquiry unit 102 delivers the resource record (except RRSIG) obtained in step S304 to the name resolution unit 101, and the name resolution unit 101 analyzes the contents of the delivered resource record (step S314). .

  Next, with reference to FIG. 8, a description will be given of a processing procedure of a cache release process performed by the cache control unit 204 at a timing when new information is stored in the cache unit 103 or at a regular timing. The cache control unit 204 confirms the usage amount of the cache unit 103 (step S401). If the usage amount does not exceed the threshold (No at step S402), the cache release process is terminated without performing any particular process.

  On the other hand, if the usage amount exceeds the threshold (Yes at step S402), the cache control unit 204 deletes other types of resource records stored in the cache unit 103 while preferentially leaving the DNSKEY resource record. Then, the area is released (step S403). If the usage amount of the cache unit 103 becomes equal to or smaller than the threshold value due to the release (No at Step S204), the cache control unit 204 ends the cache release process.

  When the usage amount of the cache unit 103 exceeds the threshold even after the release (Yes in step S204), the cache control unit 204 refers to the depth information storage unit 208 and, as described above, the zone having a small depth value. The DNSKEY resource record is deleted from the cache unit 103 to release the area, and the zone information corresponding to the deleted DNSKEY resource record is deleted from the depth information storage unit 208 (step S405).

  As described above, in this embodiment, since the DNSKEY resource record of the deep zone is preferentially left in the cache unit 103, the influence of deleting the DNSKEY resource record from the cache unit 103 is suppressed to a small level. Can do.

  In this embodiment, another example of deleting a part of the DNSKEY resource record cached due to a problem such as cache capacity will be described.

  First, the configuration of the name resolution device 300 according to the present embodiment will be described with reference to FIG. As illustrated in FIG. 9, the name resolution device 300 includes a name resolution unit 101, an inquiry unit 102, a cache unit 103, a cache control unit 304, a verification unit 105, and a frequency information storage unit 309.

  The frequency information storage unit 309 holds the frequency of inquiries corresponding to each DNSKEY resource record stored in the cache unit 103 as frequency information. An example of the frequency information is shown in FIG. As shown in the example of FIG. 10, the frequency information includes items such as a zone and the number of inquiries. The zone item is an item in which the name of the zone corresponding to the DNSKEY resource record is stored. The item of the number of inquiries is an item in which the number of inquiries made to the zone corresponding to the DNSKEY resource record is stored, and is periodically reset to zero.

  In the first line of the frequency information shown in FIG. 10, “tokyo.kanto.example.jp.” Is set as the zone item, and “1” is set as the inquiry count item. This indicates that the DNSKEY resource record of the zone named “tokyo.kanto.example.jp.” Is stored in the cache unit 103, and that the inquiry has been made four times for the zone.

  Note that the frequency information may include other attribute information such as the storage location of the DNSKEY resource record in the cache unit 103. Further, the frequency information may be configured in other formats.

  The cache control unit 304 searches for information stored in the cache unit 103 and stores information in the cache unit 103 in response to requests from the inquiry unit 102 and the verification unit 105. When requested by the inquiry unit 102 to search for information stored in the cache unit 103, the cache control unit 304 adds 1 to the frequency information inquiry number to the zone corresponding to the requested information. The addition of the number of inquiries may be performed by the name resolution unit 101 or the inquiry unit 102.

  In addition, the cache control unit 304 confirms the usage amount of the cache unit 103 when storing new information in the cache unit 103, and stores the new information when the usage amount exceeds the threshold. In order to secure this, the information stored in the cache unit 103 is deleted. Note that the information to be deleted is preferably as small as possible on condition that an area for storing new information is secured.

  When deleting information stored in the cache unit 103, the cache control unit 304 preferentially leaves the stored DNSKEY resource record and deletes other types of resource records. If the usage amount of the cache unit 103 exceeds the threshold even if other types of resource records are deleted, the cache control unit 304 refers to the frequency information storage unit 309 and determines the value of the number of inquiries. The DNSKEY resource record of the zone with a small is deleted from the cache unit 103, and the zone information corresponding to the deleted DNSKEY resource record is deleted from the frequency information storage unit 309.

  Here, “deleting a DNSKEY resource record for a zone with a small inquiry count value” may be, for example, deleting a DNSKEY resource record for a zone with the smallest inquiry count value, or having the highest inquiry count value. Other DNSKEY resource records may be deleted while leaving a DNSKEY resource record in a large zone, or a DNSKEY resource record in a zone whose inquiry count value is smaller than a predetermined value may be deleted. The DNSKEY resource records may be deleted in ascending order of the number of inquiries until the amount falls below a predetermined value.

  If a DNSKEY resource record in a zone with a high inquiry frequency is frequently deleted from the cache unit 103, a recursive inquiry is performed to check the validity of the DNSKEY resource record, and a process of acquiring a DS resource record or the like is frequently performed. And it may take a long time to complete name resolution. Even if a DNSKEY resource record in a zone with a low frequency of inquiries is deleted from the cache unit 103, there are few opportunities for such a situation to occur.

  Therefore, by preferentially leaving the DNSKEY resource record in the zone where the frequency of inquiries is high, the time required to complete name resolution is minimized by minimizing the inquiries required to verify the validity of the DNSKEY resource record. be able to.

  Not only the timing of storing new information in the cache unit 103 but also periodically checking the usage amount of the cache unit 103, and if the usage amount exceeds the threshold value, it is stored in the cache unit 103. The cache control unit 304 may be configured to delete information. In addition, the threshold regarding the usage amount and the amount of information stored in the cache unit 103 can be appropriately determined. When new information is stored in the cache unit 103 and periodically, the usage of the cache unit 103 is used. The value may be different when checking the amount. In addition, how many times the DNSKEY resource record is deleted from the cache unit 103 may be determined in advance, or may be determined dynamically so that the number of deleted DNSKEY resource records is minimized. .

  Next, a processing procedure of name resolution processing by the name resolution device 300 will be described with reference to FIG. As shown in FIG. 11, when the name resolution unit 101 generates a query for name resolution and requests the query unit 102 to send it (step S501), the cache control unit 304 uses the frequency of the zone corresponding to the query. 1 is added to the value of the information inquiry count (step S502), and a resource record that is a response corresponding to the inquiry is searched from the cache unit 103 (step S503). If a zone corresponding to the inquiry does not exist in the frequency information, the cache control unit 304 adds the zone to the frequency information and sets 1 as the inquiry count.

  If the corresponding resource record exists (Yes at step S504), the inquiry unit 102 passes the retrieved resource record to the name resolution unit 101, and the name resolution unit 101 analyzes the contents of the delivered resource record. (Step S514).

  On the other hand, when the corresponding resource record does not exist in the cache unit 103 (No in step S504), the inquiry unit 102 transmits an inquiry to the DNS 90 and receives a response (step S505). Here, when DNSSEC is not valid (No at Step S506), the cache control unit 304 stores the returned resource record in the cache unit 103 (Step S513). Then, the inquiry unit 102 delivers the returned resource record to the name resolution unit 101, and the name resolution unit 101 analyzes the contents of the delivered resource record (step S514).

  If DNSSEC is valid (Yes at step S506), the cache control unit 304 searches the cache unit 103 for a DNSKEY resource record of the zone for which an inquiry has been made (step S507). Here, when the corresponding DNSKEY resource record exists (Yes at Step S508), the verification unit 105 verifies the validity of the resource record obtained at Step S505 using the DNSKEY resource record (Step S512).

  If the validity verification is successful, the cache control unit 304 stores the resource record (except RRSIG) obtained in step S505 in the cache unit 103 (step S513). Then, the inquiry unit 102 delivers the resource record (excluding RRSIG) obtained in step S505 to the name resolution unit 101, and the name resolution unit 101 analyzes the contents of the delivered resource record (step S514). .

  On the other hand, when the corresponding DNSKEY resource record does not exist in the cache unit 103 (No in step S508), the inquiry unit 102 acquires the DNSKEY resource record of the zone inquired in step S505 (step S509). Further, the inquiry unit 102 recursively inquires from the highest zone to a zone higher than the zone inquired in step S304 to obtain the DS resource record and the DNSKEY resource record, and the obtained DS Using the resource record or the like, the verification unit 105 verifies the validity of the DNSKEY resource record acquired in step S509 (step S510). In this recursive inquiry, when a DNSKEY resource record to be acquired exists in the cache unit 103, the inquiry unit 102 acquires the DNSKEY resource record from the cache unit 103 instead of acquiring it from the DNS 90.

  If the validity verification is successful, the cache control unit 304 stores the DNSKEY resource record (excluding RRSIG) obtained in step S509 in the cache unit 103 (step S511). 105 verifies the validity of the resource record obtained in step S505 by using the DNSKEY resource record whose validity is verified (step S512).

  If the validity verification is successful, the cache control unit 304 stores the resource record (except RRSIG) obtained in step S505 in the cache unit 103 (step S513). Then, the inquiry unit 102 delivers the resource record (excluding RRSIG) obtained in step S505 to the name resolution unit 101, and the name resolution unit 101 analyzes the contents of the delivered resource record (step S514). .

  Next, with reference to FIG. 12, the processing procedure of the cache release process executed by the cache control unit 304 at a timing when new information is stored in the cache unit 103 or at a regular timing will be described. The cache control unit 304 confirms the usage amount of the cache unit 103 (step S601), and if the usage amount does not exceed the threshold (No in step S602), the cache release process is terminated without performing any particular processing.

  On the other hand, if the usage amount exceeds the threshold (Yes in step S602), the cache control unit 304 deletes other types of resource records stored in the cache unit 103 while preferentially leaving the DNSKEY resource record. Then, the area is released (step S603). If the usage amount of the cache unit 103 becomes equal to or smaller than the threshold value due to the release (No in step S604), the cache control unit 304 ends the cache release process.

  If the usage amount of the cache unit 103 exceeds the threshold even after the release (Yes in step S604), the cache control unit 304 refers to the frequency information storage unit 309 and, as described above, in the zone where the number of inquiries is small. The DNSKEY resource record is deleted from the cache unit 103 to release the area, and the zone information corresponding to the deleted DNSKEY resource record is deleted from the frequency information storage unit 309 (step S605).

  As described above, in this embodiment, since the DNSKEY resource record of the zone with the high inquiry frequency is left preferentially in the cache unit 103, the influence of deleting the DNSKEY resource record from the cache unit 103 is reduced. Can be suppressed.

  In this embodiment, the DNSKEY resource record of the zone with the high inquiry frequency is left in the cache unit 103 preferentially. However, among the zones in which the DNSKEY resource record is stored in the cache unit 103, the latest inquiry is made. A similar effect can be obtained by preferentially leaving the DNSKEY resource record in the zone in which the date and time of the execution is close to the current date and time in the cache unit 103.

  In the present embodiment, a description will be given of still another example in which a part of the DNSKEY resource record that is cached is deleted due to a problem such as cache capacity.

  First, the configuration of the name resolution device 400 according to the present embodiment will be described with reference to FIG. As shown in FIG. 13, the name resolution device 400 includes a name resolution unit 101, an inquiry unit 102, a cache unit 103, a cache control unit 404, a verification unit 105, a lower zone number calculation unit 410, and a lower zone. A number storage unit 411.

  The lower zone number storage unit 411 holds, as lower zone number information, the number of zones existing in a layer lower than the zone corresponding to each DNSKEY resource record stored in the cache unit 103. An example of the lower zone number information is shown in FIG. As shown in the example of FIG. 14, the lower zone number information includes items such as a zone and a lower zone number. The zone item is an item in which the name of the zone corresponding to the DNSKEY resource record is stored. The item of the number of lower zones is an item in which the number of zones existing in a layer lower than the zone corresponding to the DNSKEY resource record is stored.

  In the fourth line of the lower zone number information shown in FIG. 14, “kanto.example.jp.” Is set in the zone item, and “2” is set in the lower zone number item. This is because the zone named “tokyo.kanto.example.jp.” And the zone named “kanagawa.kanto.example.jp.” Are below the zone named “kanto.example.jp.”. This is because there exists.

  Further, in the third line of the lower zone number information shown in FIG. 14, “example.jp.” Is set as the zone item, and “5” is set as the lower zone number item. This is because a zone named “kanto.example.jp.”, A zone named “tokyo.kanto.example.jp.”, And a “kanagawa” are located below a zone named “example.jp.”. This is because there is a zone named “.kanto.example.jp.”, A zone named “kansai.example.jp.”, And a zone named “kyoto.kansai.example.jp.”.

  The lower zone number information may include other attribute information such as the storage location of the DNSKEY resource record in the cache unit 103. Further, the lower zone number information may be configured in other formats.

  The lower zone number calculation unit 410 calculates the number of zones existing in a lower layer than the designated zone, and registers it in the lower zone number storage unit 411. The lower zone number calculation unit 410 determines the hierarchical relationship of each zone based on the name of the DNSKEY resource record stored in the cache unit 103, and calculates the number of zones existing in a layer below the specified zone. To do.

  For example, a zone named “jp.”, A zone named “example.jp.”, A zone named “kanto.example.jp.”, And a name “tokyo.kanto.example.jp.” , A zone named “kanagawa.kanto.example.jp.”, A zone named “kansai.example.jp.”, And a DNSKEY of a zone named “kyoto.kansai.example.jp.” When the resource record is stored in the cache unit 103, the lower zone number calculation unit 410 calculates the lower zone number of each zone as shown in the example of FIG.

  In this method, although the number of lower zones of each zone cannot be strictly acquired, the name resolution device 400 is configured to preferentially leave the DNSKEY resource record in the cache unit 103. Among the zones existing in the lower hierarchy, DNSSEC is enabled, and the number of zones that may be inquired can be obtained almost without omission.

  The cache control unit 404 searches for information stored in the cache unit 103 and stores information in the cache unit 103 in response to requests from the inquiry unit 102 and the verification unit 105. When storing a new DNSKEY resource record in the cache unit 103, the cache control unit 404 calculates the lower zone number of the zone corresponding to the DNSKEY resource record and stores it in the lower zone number storage unit 411. The process is executed by the unit 410. When the DNSKEY resource record is deleted from the cache unit 103, the cache control unit 404 recalculates the number of lower zones in each zone corresponding to the DNSKEY resource record stored in the cache unit 103, and stores the number of lower zones. The process of updating the unit 411 is executed by the lower zone number calculating unit 410.

  In addition, the cache control unit 404 checks the usage amount of the cache unit 103 when storing new information in the cache unit 103, and stores the new information when the usage amount exceeds the threshold. In order to secure this, the information stored in the cache unit 103 is deleted. Note that the information to be deleted is preferably as small as possible on condition that an area for storing new information is secured.

  When the information stored in the cache unit 103 is deleted, the cache control unit 404 preferentially leaves the stored DNSKEY resource record and deletes other types of resource records. If the usage amount of the cache unit 103 exceeds the threshold even if other types of resource records are deleted, the cache control unit 404 refers to the lower zone number storage unit 411 and determines the number of lower zones. The DNSKEY resource record of the zone having a small value of “1” is deleted from the cache unit 103, and the zone information corresponding to the deleted DNSKEY resource record is deleted from the lower zone number storage unit 411.

  Here, “deleting a DNSKEY resource record of a zone having a lower value of the number of lower zones” may be, for example, deleting a DNSKEY resource record of a zone having the lowest value of the number of lower zones, The DNSKEY resource record of the zone with the largest value may be left and the other DNSKEY resource record may be deleted, or the DNSKEY resource record of the zone having the lower zone number value smaller than the predetermined value may be deleted, or the cache The DNSKEY resource record may be deleted in ascending order of the number of lower zones until the usage amount of the unit 103 falls below a predetermined value.

  A DNSKEY resource record of a zone having a large number of lower zones is necessary when verifying the validity of the DNSKEY resource record of any lower zone. For this reason, by preferentially leaving the DNSKEY resource record of the zone having a large number of lower zones, the frequency of querying the DNSKEY resource record can be minimized, and the time until the completion of name resolution can be shortened.

  Not only the timing of storing new information in the cache unit 103 but also periodically checking the usage amount of the cache unit 103, and if the usage amount exceeds the threshold value, it is stored in the cache unit 103. The cache control unit 404 may be configured to delete information. In addition, the threshold regarding the usage amount and the amount of information stored in the cache unit 103 can be appropriately determined. When new information is stored in the cache unit 103 and periodically, the usage of the cache unit 103 is used. The value may be different when checking the amount. Further, up to which number of lower zone DNSKEY resource records to be deleted from the cache unit 103 may be determined in advance, or may be dynamically determined so that the number of deleted DNSKEY resource records is minimized. Good.

  Next, a processing procedure of name resolution processing by the name resolution device 400 will be described with reference to FIG. As shown in FIG. 15, when the name resolution unit 101 generates a query for name resolution and requests the query unit 102 to send it (step S701), the cache control unit 404 is a response corresponding to the query. A resource record is retrieved from the cache unit 103 (step S702). If there is a corresponding resource record (Yes at step S703), the inquiry unit 102 passes the retrieved resource record to the name resolution unit 101, and the name resolution unit 101 analyzes the contents of the delivered resource record. (Step S714).

  On the other hand, when the corresponding resource record does not exist in the cache unit 103 (No at Step S703), the inquiry unit 102 transmits an inquiry to the DNS 90 and receives a response (Step S704). Here, when DNSSEC is not valid (No at Step S705), the cache control unit 404 stores the returned resource record in the cache unit 103 (Step S713). Then, the inquiry unit 102 delivers the responded resource record to the name resolution unit 101, and the name resolution unit 101 analyzes the contents of the delivered resource record (step S714).

  If DNSSEC is valid (Yes at step S705), the cache control unit 404 searches the cache unit 103 for a DNSKEY resource record of the zone for which an inquiry has been made (step S706). If there is a corresponding DNSKEY resource record (Yes at step S707), the verification unit 105 verifies the validity of the resource record obtained at step S704 using the DNSKEY resource record (step S712).

  If the validity verification is successful, the cache control unit 404 causes the cache unit 103 to store the resource record (excluding RRSIG) obtained in step S704 (step S713). Then, the inquiry unit 102 delivers the resource record (excluding RRSIG) obtained in step S704 to the name resolution unit 101, and the name resolution unit 101 analyzes the contents of the delivered resource record (step S714). .

  On the other hand, when the corresponding DNSKEY resource record does not exist in the cache unit 103 (No in step S707), the inquiry unit 102 acquires the DNSKEY resource record of the zone inquired in step S704 (step S708). Further, the inquiry unit 102 recursively inquires from the highest zone to the upper zone of the zone inquired in step S704 to obtain the DS resource record and the DNSKEY resource record, and the obtained DS Using the resource record or the like, the verification unit 105 verifies the validity of the DNSKEY resource record acquired in step S308 (step S709). In this recursive inquiry, when a DNSKEY resource record to be acquired exists in the cache unit 103, the inquiry unit 102 acquires the DNSKEY resource record from the cache unit 103 instead of acquiring it from the DNS 90.

  If the validity verification is successful, the cache control unit 404 stores the DNSKEY resource record (excluding RRSIG) obtained in step S708 in the cache unit 103 (step S710) and the DNSKEY resource. The number of lower zones of the zone from which the record is acquired is recorded in the lower zone number storage unit 101 (step S711). Subsequently, the verification unit 105 verifies the validity of the resource record obtained in step S704 using the DNSKEY resource record whose validity is verified (step S712).

  If the validity verification is successful, the cache control unit 404 causes the cache unit 103 to store the resource record (excluding RRSIG) obtained in step S704 (step S713). Then, the inquiry unit 102 delivers the resource record (excluding RRSIG) obtained in step S704 to the name resolution unit 101, and the name resolution unit 101 analyzes the contents of the delivered resource record (step S714). .

  Next, with reference to FIG. 16, a description will be given of a processing procedure of a cache release process performed by the cache control unit 404 at a timing when new information is stored in the cache unit 103 or at a regular timing. The cache control unit 404 confirms the usage amount of the cache unit 103 (step S801), and if the usage amount does not exceed the threshold (No at step S802), the cache release process is terminated without performing any particular processing.

  On the other hand, if the usage amount exceeds the threshold (Yes in step S802), the cache control unit 404 deletes other types of resource records stored in the cache unit 103 while preferentially leaving the DNSKEY resource record. Then, the area is released (step S803). If the usage amount of the cache unit 103 becomes equal to or smaller than the threshold value due to the release (No in step S804), the cache control unit 404 ends the cache release process.

  If the usage amount of the cache unit 103 exceeds the threshold even after the release (Yes in step S804), the cache control unit 404 refers to the lower zone number storage unit 411 and has a lower number of lower zones as described above. The DNSKEY resource record of the zone is deleted from the cache unit 103 to release the area, and the zone information corresponding to the deleted DNSKEY resource record is deleted from the lower zone number storage unit 411, and the lower zone number is updated (step S805). ).

  As described above, in this embodiment, since the DNSKEY resource record of the zone having a large number of lower zones is preferentially left in the cache unit 103, the influence of deleting the DNSKEY resource record from the cache unit 103 is affected. It can be kept small.

  The configuration of the name resolution device in each of the above-described embodiments can be variously changed without departing from the gist. For example, the methods shown in the embodiments 2 to 4 can be used in combination with some priorities for deleting some of the DNSKEY resource records from the cache unit 103.

  An example of combining the methods with priorities will be shown. For each zone in which the DNSKEY resource record is stored in the cache unit 103, the depth, the number of inquiries, and the number of lower zones are held. If the usage amount of the cache unit 103 exceeds the threshold value, first, the value of the number of lower zones Delete the DNSKEY resource record with the smallest. If the usage amount of the cache unit 103 still exceeds the threshold value, the DNSKEY resource record having the smallest depth value is deleted. If the usage amount of the cache unit 103 still exceeds the threshold value, the DNSKEY resource record whose inquiry count value is smaller than the predetermined value is deleted.

  Further, by implementing the function of the name resolution apparatus in each embodiment described above as software and executing this by a computer, a function equivalent to the name resolution apparatus in each embodiment described above can be realized. An example of a computer that executes a name resolution program 1071 in which the function of the name resolution device 100 is implemented as software will be described below.

  FIG. 17 is a functional block diagram showing a computer 1000 that executes the name resolution program 1071. The computer 1000 includes a CPU (Central Processing Unit) 1010 that executes various arithmetic processes, an input device 1020 that receives input of data from a user, a monitor 1030 that displays various information, and a medium that reads a program from a recording medium. A bus 1080 includes a reading device 1040, a network interface device 1050 that exchanges data with other computers via a network, a RAM (Random Access Memory) 1060 that temporarily stores various information, and a hard disk device 1070. Connected and configured.

  The hard disk device 1070 includes a name resolution program 1071 having the same function as each function unit of the name resolution device 100 shown in FIG. 1 and caches corresponding to various information stored in the cache unit 103 shown in FIG. Data 1072 is stored.

  Then, the CPU 1010 reads the name resolution program 1071 from the hard disk device 1070 and develops it in the RAM 1060, whereby the name resolution program 1071 functions as the name resolution process 1061. Then, the name resolution process 1061 expands the information read from the cache data 1072 in the area allocated to itself on the RAM 1060 as appropriate, and executes various data processing based on the expanded data.

  The name resolution program 1071 is not necessarily stored in the hard disk device 1070, and the computer 1000 may read and execute the program stored in a storage medium such as a CD-ROM. . The computer 1000 stores the program in another computer (or server) connected to the computer 1000 via a public line, the Internet, a LAN (Local Area Network), a WAN (Wide Area Network), or the like. You may make it read and run a program from these.

10 Client device 20 DNS cache server 30-50 DNS server 90 DNS
100, 200, 300, 400 Name resolution device 101 Name resolution unit 102 Query unit 103 Cache unit 104 Cache control unit 105 Verification unit 208 Depth information storage unit 304 Cache control unit 309 Frequency information storage unit 404 Cache control unit 410 Calculation of the number of lower zones Unit 411 Lower Zone Number Storage Unit 1000 Computer 1010 CPU
1020 Input device 1030 Monitor 1040 Medium reader 1050 Network interface device 1060 RAM
1061 Name resolution process 1070 Hard disk device 1071 Name resolution program 1072 Cache data 1080 Bus

Claims (11)

A name resolution device having a cache unit that caches response contents to an inquiry to a name management system that manages a hierarchically configured name space,
The validity of the response content to the inquiry for name resolution is verified using the first verification information obtained from the server of the inquiry destination hierarchy of the inquiry, and the validity of the first verification information is verified. And verifying using the second verification information obtained by inquiring the servers of each layer from the highest layer of the name management system to the upper layer of the inquiry destination layer of the inquiry, and the validity is A verification unit that stores the verified first verification information in the cache unit and reuses the first verification information;
A name resolution apparatus comprising: a cache control unit that controls to leave the first verification information in the cache unit when a free area is created in the cache unit.   The cache control unit, when it becomes necessary to delete the first verification information from the cache unit in order to create a predetermined free area in the cache unit, among the first verification information, 2. The name resolution apparatus according to claim 1, wherein in order to verify the validity of the first verification information, a name resolution apparatus that prioritizes deletion of the second verification information that needs to be acquired.   The cache control unit, when it becomes necessary to delete the first verification information from the cache unit in order to create a predetermined free area in the cache unit, among the first verification information, 3. The name resolution apparatus according to claim 2, wherein a name having a shallow depth from which the first verification information is acquired is deleted preferentially.   The cache control unit, when it becomes necessary to delete the first verification information from the cache unit in order to create a predetermined free area in the cache unit, among the first verification information, 3. The name resolution apparatus according to claim 2, wherein the name resolution apparatus preferentially deletes a query with a small number of inquiries about a hierarchy from which the first verification information is acquired.   The cache control unit, when it becomes necessary to delete the first verification information from the cache unit in order to create a predetermined free area in the cache unit, among the first verification information, 3. The name resolution apparatus according to claim 2, wherein the name resolution apparatus prioritizes and deletes the one having a lower hierarchy than the hierarchy from which the first verification information is acquired. A name resolution method executed by a name resolution apparatus having a cache unit that caches response contents to an inquiry to a name management system that manages a hierarchically configured name space, comprising:
A first verification step in which the name resolution device verifies the validity of the response content to the query for name resolution by using the first verification information obtained from the server of the inquiry destination hierarchy of the query; ,
The name resolution device obtains the validity of the first verification information by inquiring a server in each layer from the highest layer of the name management system to a higher layer of the inquiry destination layer. A second verification step for verifying using the obtained second verification information;
A storage step in which the name resolution device stores the first verification information verified in the second verification step in the cache unit for reuse;
A cache release step for controlling the first verification information to remain in the cache unit when the name resolution device creates an empty area in the cache unit;   In the cache release step, the name resolution device, when it becomes necessary to delete the first verification information from the cache unit in order to create a predetermined free area in the cache unit, 7. The verification information according to claim 6, wherein information that requires less acquisition of the second verification information in order to verify the validity of the first verification information is preferentially deleted. The name resolution method described.   In the cache release step, the name resolution device, when it becomes necessary to delete the first verification information from the cache unit in order to create a predetermined free area in the cache unit, The name resolution method according to claim 7, wherein among the pieces of verification information, information having a shallow depth from which the first verification information is acquired is preferentially deleted.   In the cache release step, the name resolution device, when it becomes necessary to delete the first verification information from the cache unit in order to create a predetermined free area in the cache unit, The name resolution method according to claim 7, wherein among the verification information, information with a small number of inquiries about a hierarchy from which the first verification information is acquired is preferentially deleted.   In the cache release step, the name resolution device, when it becomes necessary to delete the first verification information from the cache unit in order to create a predetermined free area in the cache unit, 8. The name resolution method according to claim 7, wherein among the pieces of verification information, information having a lower number of layers lower than a layer from which the first verification information is acquired is preferentially deleted.   A name resolution program for causing a computer to function as the name resolution device according to any one of claims 6 to 10.

Images