CN113132384B - Decentralized DNS root zone management system - Google Patents
Decentralized DNS root zone management system Download PDFInfo
- Publication number
- CN113132384B CN113132384B CN202110423197.XA CN202110423197A CN113132384B CN 113132384 B CN113132384 B CN 113132384B CN 202110423197 A CN202110423197 A CN 202110423197A CN 113132384 B CN113132384 B CN 113132384B
- Authority
- CN
- China
- Prior art keywords
- root
- local
- module
- zone
- resource record
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
Abstract
A decentralized DNS root zone management system belongs to the technical field of Internet infrastructure security and is used for solving the problems of unclear governing bodies, name space splitting and malicious reinjection brought by the existing root zone management decentralized technology. The technical points of the invention comprise: the system comprises a local root chain subsystem and a local root server subsystem, wherein the local root chain subsystem is used for realizing root zone data management by using a block chain and comprises a root zone division module, an identity and role module, an account book module and a contract module; the process of the local root chain subsystem for realizing root zone data management is as follows: the method comprises the steps of establishing an authorization and authorization relationship between members through an identity module and a role module, describing the relationship through data recorded by an account book module, and realizing the authorization logic through a contract module. The method avoids the centralized structure risk of the root and plays an important role in the construction of a domain name system in the Internet.
Description
Technical Field
The invention relates to the technical field of Internet infrastructure security, in particular to a decentralized DNS root zone management system.
Background
The root service decentralized technology is to independently establish a new root service system in addition to 13 logical root servers and their anycast entities designated in the IANA (internet assigned numbers authority) root zone. The root service decentralized work can be divided into 4 types according to technical characteristics: (1) a recursive root, a root server is directly established on the local loopback address (127.0.01) of the recursive resolver; (2) opening a root, operating a group of root servers which operate independently and adopt IANA root areas; (3) the shadow root sends the pile resolver or the recursion server to the IANA root server to inquire, guide/hijack to specific resolving equipment and disguise the root server to give a response; (4) and another root, establishing a root system independent of the current DNS (domain name system), and adopting the IANA root zone to simultaneously create a new TLD. The root service decentralized technology reduces the dependence of users on IANA root service, and improves the diversity and localization degree of the root service. In summary, root service decentralized has related art schemes and systems on the authoritative side, the recursive side, and the link. FIG. 1 is a schematic diagram of a root service decentralized scheme.
Root zone management decentralization refers to root zones that are not modified by a single central authority. By utilizing distributed consensus of the block chain, a single central authority decision root zone can be converted into a single public account book decision root zone, and uniqueness and decentralization are guaranteed. The related work mainly comprises: (1) the Blockstack (BNS) is a naming and storage system realized by a bottom layer based on the Bitcoin system; (2) handshake, a block chain protocol aiming at replacing root zone files and root servers, realizes registration, continuation and transfer of TLDs, and the existing root zone management decentralization scheme avoids control of a single central mechanism on a root zone, but has the following limitations: (1) creating TLDs outside of the non-IANA root zone may result in namespace splitting; (2) completely separating from all the participants in the current radical treatment; (3) the domain name is caused to be in a rush-to-fill problem and a dispute processing mechanism is lacked due to the fact that no center exists completely; (4) TLD ownership relies on cryptography, with keys lost or compromised, and ownership is lost and difficult to recover; (5) the de-centering feature relies on the underlying blockchain system.
In summary, root services decentralized technology is becoming mature, but there are many problems with root management decentralized technology. At present, there is no technical obstacle to deploying root services independent of a current root server system, and the existing block chain-based scheme provides a new concept of decentralization, but has the problems of name space splitting and the like.
Disclosure of Invention
In view of the above problems, the present invention provides a decentralized DNS root zone management system to solve the problem of ambiguous governing bodies, the problem of name space splitting, and the problem of malicious emergency injection caused by the existing root zone management decentralized technology.
A decentralized DNS root zone management system comprises a local root chain subsystem and a local root server subsystem, wherein the local root chain subsystem is used for realizing root zone data management by using a block chain, and the local root server subsystem is used for providing root zone analysis service; the local root chain subsystem comprises a root zone division module, an identity and role module, an account book module and a contract module; wherein the content of the first and second substances,
the root zone dividing module is used for dividing the resource records in the root zone into different parts according to the data source and adopting different management logics for the parts;
the identity and role module is used for binding the membership and the role type based on distributed membership management to realize access authority control;
the account book module is used for recording local root members, root zone management protocols among the members and root zone data;
the contract module is used for controlling access authority according to the role type and realizing root zone management logic based on the current state of the account book module;
the process of the local root chain subsystem for realizing root zone data management is as follows: and establishing an authorization and authorization relationship between members through the identity and role module, describing the relationship through data recorded by the account book module, and realizing the authorization logic through the contract module.
Furthermore, the root zone dividing module divides the resource records in the root zone into four different parts, including a root authoritative resource record group, a root server resource record group, a TLD authorized resource record group and a signature resource record group; wherein the content of the first and second substances,
the root authority resource record group is used for recording the starting authority resources and DNSSEC public key resources from the root of the root authority;
the root server resource record group is used for recording root server name resources and IP address resources from a root server operator;
the TLD authorized resource record group is used for recording TLD authoritative server name resources, IP address resource records and DNSSEC public key abstract resources from TLD authoritativeness;
the set of signed resource records is used to record DNSSEC signed related resources from a root authority.
Further, the role types in the identity and role module include a local root manager, a local root zone maintainer, a local root server operator, a top-level domain authority and an IANA agent.
Further, the account module divides the recorded data into four groups of account data, namely, a member account group, a root authoritative account group, a root server account group and a TLD authoritative account group, according to different data types.
Further, each group of accounts in the account module comprises two types of accounts, namely a protocol account and a resource record account.
Furthermore, each type of book in the book module includes three tables, namely a state table, an update table and a process table.
Further, the contract module comprises two types of contracts according to different operations of the account book module: agreement contracts and resource record change contracts; wherein the agreement contract is a contract operating on an agreement book; the resource record change contract is a contract that operates on a resource record book.
Further, the content recorded by the root authority resource record group, the root server resource record group and the signature resource record group is different in the local root zone and in the IANA root zone; the content recorded by the TLD authorized resource record group is the same in the local root zone as in the IANA root zone.
Further, the authority corresponding to the local root administrator includes: auditing a newly added local root manager, negotiating policies on a local root chain, being responsible for member management and role management on the chain in the country, signing a local root service agreement with an operator of a local root server, generating a key signature key in DNSSEC and issuing a root authority resource record group; the authority corresponding to the local root zone maintainer comprises: the method is used for operating local root chain nodes in a local root chain, generating a zone signature key in DNSSEC, generating a local root zone from an account book on the local root chain and issuing the local root zone; the authority corresponding to the local root server operator includes: the system is responsible for operating a local root server, providing domain name resolution service by adopting a local root zone and issuing a local root server resource record group; the authority corresponding to the top-level domain authority comprises: accessing a local root chain and issuing a TLD authorization resource record group; the authority corresponding to the IANA agent comprises the following steps: and writing the TLD authorized resource record which is not on the local root chain into the account book.
Furthermore, the method for implementing root zone management logic in the contract module is to abstract the data updating process logic in the account book module into a general proposal-audit-end three-stage process.
The beneficial technical effects of the invention are as follows:
the invention provides a decentralized DNS root zone management system, which comprises a local root chain and a local root service, wherein the local root chain is realized by using a block chain technology, the local root chain abstracts related parties participating in root zone management into a plurality of roles with authority not conflicting with each other, the root zone is divided into a plurality of relatively independent management zones, then the roles participating in root zone management are constrained by using a block chain intelligent contract to respectively manage the root zone areas which are responsible for the roles, and the management result of each role to the root zone is synchronized to all the roles through a block chain consensus algorithm, so that the global uniqueness of the management result of the root zone is ensured.
The system solves the problems of centralized structure risks of the root, namely single-point failure risks, opaque root zone management, difficult audit of root zone operation and the like caused by centralized root zone management and centralized root service, and realizes the balance control of the current single root zone management mechanism through autonomous and cooperative alliance formed by local root managers; the local root chain enhances the transparency and auditability of the root zone management, and solves the problems of unclear governing bodies, name space splitting and malicious reinjection brought by the existing root zone management decentralized technology.
Drawings
The invention may be better understood by referring to the following description in conjunction with the accompanying drawings, in which like reference numerals are used throughout the figures to indicate like or similar parts. The accompanying drawings, which are incorporated in and form a part of this specification, illustrate preferred embodiments of the present invention and, together with the detailed description, serve to further explain the principles and advantages of the invention.
FIG. 1 is a schematic diagram of a root service decentralized scheme;
FIG. 2 is a schematic diagram of a native root architecture of the present invention;
FIG. 3 is a schematic diagram of the design structure of the local root chain in the present invention;
FIG. 4 is a schematic diagram of root zone partitioning according to the present invention;
fig. 5 is a diagram illustrating the relationship of the local root role, protocol and resource record book in the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described hereinafter with reference to the accompanying drawings. In the interest of clarity and conciseness, not all features of an actual implementation are described in the specification. It should be noted that, in order to avoid obscuring the present invention by unnecessary details, only the device structures and/or processing steps that are closely related to the scheme according to the present invention are shown in the drawings, and other details that are not so relevant to the present invention are omitted.
The invention describes a system for DNS (domain name system) root decentralized-local root, which is composed of a local root chain and a local root service. The local root chain is a novel domain name system root zone management system, and the local root chain relieves the worry of all parties involved in root zone management by enhancing mutual trust. Each local root manages a country code top-level domain and a local root server operator, each local root jointly constructs a root zone management system based on a zone block chain through a local root chain link point, and each local root independently provides root zone analysis service through an independently operated local root server. The local root chain solves the problem that the top level domain of the country code may be out of control because the role of the root authority is destroyed, while maintaining a uniform domain name space and a unique global root authority. The improvement of the local root chain on the management of the root zone mainly has two points: improving autonomy by establishing a local root, a local root community and a local root server; transparency is improved by blockchain recording and execution of the various protocols and root zone operations.
The local root system includes two independent subsystems: a local root chain subsystem and a local root server subsystem. The organization that sets up the Local Root is called the Local Root Administrator (Local Root Administrator). The design of the local root chain subsystem can be summarized as follows: the local root chain is a federation type blockchain formed by local root chain nodes and established by a local root community, and is responsible for managing a local root zone used by a local root server. FIG. 2 is a schematic diagram of a native root architecture in the present invention.
1) Local Root Community (Local Root Community): the local root managers and the related entities jointly establish a cooperative organization;
2) local Root Zone (LRZ): a non-IANA root region below the native root; the local root zone completely follows TLD authorization consistent with the IANA root zone to ensure unified namespaces, wherein the cccTLD authorization information directly comes from a root zone updating request submitted by a cccTLD authority through a local root chain to realize the autonomy of the cccTLD;
3) local Root Chain (LRC): local root community establishes a federated blockchain responsible for local root zone management between local roots; a subsystem in the local root for implementing the local root chain function, called a local root chain Node (LRC Node);
4) local Root Server (Local Root Server): the subsystem loaded in the local root zone to provide the root service is independent of the local root chain. The local root can adopt a root server different from the IANA root to realize open root service supply; the local root service is operated by a local root administrator, using a domain name system root zone resolution service that is cognizant of the results via a local root chain root zone.
The local root chain needs a bottom layer blockchain platform by adopting a HyperLegger Fabric-like architecture, namely executing-sequencing-verifying-updating, and providing functional support for member management, distributed consensus, intelligent contract programming, database storage and the like. As a blockchain application system, the local root chain can be summarized as: the chain members implement root zone management by executing a contract program on the root zone division data in the ledger according to the respective roles. Fig. 3 is a schematic diagram of a local root chain design structure in the present invention, and 4 key parts included in the local root chain are respectively described below.
31) Root Zone Division (Root Zone Division): dividing a root zone into four parts related to a root authority, a root server, TLD authorization and a signature according to a data source, and adopting different management logics for the parts;
32) identity & Role (Identity & Role): a 'local root manager is responsible for making' is provided, distributed user identity management is adopted, authority management is carried out based on roles, and the identities and the roles are bound through an explicit protocol to realize access control on a root zone;
33) account book (hedger): recording local root members, root zone management protocols among the members and a database of root zone data; the method comprises the steps that three accounts books including members, root authorities and TLD authorities are contained according to different types (longitudinal division) of root zone data;
34) contract (Contract): the program for realizing the root zone management logic is triggered to execute by a transaction (transaction) submitted by a member, and the execution result is the operation on the account book; each contract is uniformly abstracted into a three-stage process of proposal, audit and termination.
Further, 31) the root zone division is as follows.
In order to give consideration to the unity and autonomy of root zone management, resource records in a root zone are divided into four resource record groups according to data sources: a root authoritative resource record group, a root server resource record group, a TLD authorized resource record group, and a signed resource record group. The local root chain implements management of the first three sets of data therein. FIG. 4 is a schematic diagram of root zone partitioning in the present invention.
311) Root authority resource record group: the part of the content from the root authority, including the starting authority resource record (SOA type) and DNSSEC public key resource record (DNSKEY type) of the root, can be different in the local root zone and the IANA root zone;
312) root server resource record group: from the root server operator, including a root server name resource record (NS type) and an IP address resource record (a/AAAA type), which may be different in the local root zone than in the IANA root zone;
313) TLD authorized resource record group: the content comes from TLD authority and comprises TLD authority server name resource records (NS type), IP address resource records (A/AAAA type) and DNSSEC public key abstract resource records (DS type), and the content is consistent with that in IANA root zone in the local root zone, thereby ensuring global unification;
314) signature resource record group: from the root authority, including DNSSEC subscription-related resource records (NSEC type and RRSIG type), this part of the content may be different in the local root zone than in the IANA root zone; the reason this part is not managed on the local root chain is two points: firstly, on the premise that DNSKEY is recorded on a block chain, the consistency of the signature does not need to be protected through the block chain; and secondly, the cryptology mechanism of the block chain platform can protect the data authenticity.
The root area division is abstracted into roles described below according to data sources, and is also a basis for designing a local root chain account book and a contract, and the updating process of each root area is given later. FIG. 5 is a diagram illustrating the relationship of the local root roles, protocols, and resource record ledger in the present invention.
Further, 32) identity and role details are as follows.
The design idea of the identity and role of the members (participants) on the local root chain is 'the local root manager is responsible for the system'. Membership is authenticated and a certificate is issued by a ca (certificate authority) established by the local root manager of the country in which it is located. The local root identifier is called local root code, represents the country to which the local root identifier belongs, and adopts the ISO 3166 standard as the CCTLD. The CAs of the respective local roots in the local root community exchange root certificates of each other to form a peer-to-peer multi-CA identity management hierarchy. The access control of the 'write right' of the account book on the chain is based on the role of the member, and the binding of the identity and the role is realized in the local root chain.
321) Identity: the Identity (ID) of a member is expressed as an organization name in the real world, and is composed of two parts, namely an organization name, a local root code; the name of an organization is assigned by the relevant regulatory agency of the country/region in which it is located. For example, the identity of the chinese internet information center may be denoted cnnic. The CA of each local root guarantees the uniqueness of each membership it authenticates. The identity authentication of the member is realized outside the chain, and the authenticated member is recorded on the chain;
322) role: roles are an intermediate abstraction that enables member and rights binding; the characters on the local root chain are shown in the following character part description; the local root manager is responsible for role management and records the binding of the identity and the role on a chain;
323) permission: performing mandatory access control on the linked transaction according to the role of the member and further on the root zone resource, namely determining the authority by the role, and binding the identity and the authority through identity management and role management; access control is implemented by contracts.
The local root chain is parallel to the current IANA root management, the former refers to the mode of the latter and comprises the separation of management function and maintenance function, and the separation of root area management and root service; these roles in the local root are performed by different role types, as follows:
3221) local Root Administrator (Local Root Administrator): the domain name management organization of the country is responsible for establishing a local root community together with local root managers of other countries, auditing the newly added local root managers and negotiating the policy on the local root chain; the system is responsible for on-chain member management and role management in the country, including assignment of the ccTLD authority; responsible for signing a local root service agreement with a local root server operator; responsible for generating Key Signing Keys (KSKs) in DNSSEC; the system is responsible for issuing a root authority resource record group;
3222) local root zone Maintainer (LRZ Maintainer): the maintenance mechanism of the local root, which is entrusted by the local root manager, is responsible for operating the local root chain link points in the local root chain; responsible for generating Zone Signing Keys (ZSK) in DNSSEC; the system is responsible for generating and releasing a local root zone from an account book on a local root chain;
3223) local Root Server Operator (Local Root Server Operator): the system is responsible for operating a local root server and providing domain name resolution service by adopting a local root zone; the local root server resource record group is responsible for publishing;
3224) top level domain Authority (TLD Authority): accessing a local root chain and issuing a TLD authorization resource record group; the method mainly comprises the steps that the CCTLD of the country where the local root is located is authoritative; the TLD authority which is not accessed into the local root chain, and the corresponding TLD authorized resource record group can be submitted by an IANA agent role;
3225) IANA agent: at present, the IANA function is executed by the cooperation of ICANN, PTI and VeriSign, the three are not involved in a local root chain, and the IANA function is abstracted into a role; the IANA agent is used for writing TLD authorized resource records which are not on the local root chain into an account book so as to ensure the completeness of the local root zone.
Further, 33) the book is specified as follows.
The data objects in the local root chain are stored as a plurality of accounts. The account book design idea is based on dividing root zones into bases, separating state data from updating process data and supporting root zone management processes. Dividing recorded data into four groups of account book data including a member account book group, a root authoritative account book group, a root server account book group and a TLD authoritative account book group according to different data division types; each group of accounts book comprises two types of account books, namely a protocol account book and a resource record account book.
Each book contains a type of data with strong relevance, and the latest data is called world state (world state). The account book comprises a plurality of tables (tables), and each table comprises a plurality of records (records). Each record has a unique primary key (key) identification, the suffix of each record primary key in the same account book is the same type field, and the primary keys of the records in the same table have the same prefix and different suffixes. From a state storage function perspective, the tables are divided into three categories: a state table (state table), an update table (update table), and a procedure table (procedure table). Each state table is provided with an updating table, and the format of the updating table is the same as that of the state table. The state table records the latest world state, and the corresponding update table records the state waiting for updating. When updating the state table, an update request is first written into the update table, and after the request is processed in the update table, whether or not to write into the state table is determined based on the processing result. The process table is responsible for storing relevant states, such as voting information and the like, in the process of processing the update request.
Further, 34) contract details are as follows.
The local root chain contract is a program for realizing root zone management logic, and abstracts the account book updating logic into a general proposal-audit-ending three-stage process. Contracts are triggered to execute by a member's submitted transaction, with parameters in the transaction as inputs and with operations on the ledger as outputs. Contracts implement access control according to the role of the transaction submitter, executing programs based on the current state in the book. Each role triggers the automatic execution of the intelligent contract by submitting transactions to the local root chain, and the execution results of the intelligent contract (i.e., the modification to the account book) are synchronized to all local roots through the blockchain consensus algorithm. The contract proposal-audit-end three-phase process comes from managing logical abstractions with the root zone. From the perspective of reconciliation book operations, root zone management logic can be divided into two categories: a contract that operates on a protocol table, referred to as a "certain protocol contract"; the contract for operating the resource record table is referred to as "some resource record change contract".
In summary, table 1 shows the relationship between the parts in the local root chain.
TABLE 1
From the perspective of authority of root zone management, the above-mentioned roles are established by the relationship of authorization and authorization between members, the relationship is described by recording the agreement book on the blockchain, and the authorization logic is realized by the contract on the blockchain. As representative of the local root community, the local root administrator "collectively" authorizes one local root administrator and IANA agent. A local root administrator authorises a local root maintainer of the local root, a local root server operator and a ccTLD authority.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. The present invention has been disclosed in an illustrative rather than a restrictive sense, and the scope of the present invention is defined by the appended claims.
Claims (9)
1. A decentralized DNS root zone management system is characterized by comprising a local root chain subsystem and a local root server subsystem, wherein the local root chain subsystem is used for realizing root zone data management by using a block chain, and the local root server subsystem is used for providing root zone analysis service; the local root chain subsystem comprises a root zone division module, an identity and role module, an account book module and a contract module; wherein the content of the first and second substances,
the root zone dividing module is used for dividing the resource record in the root zone into four different parts according to the data source and adopting different management logics for the parts; the four different parts comprise a root authoritative resource record group, a root server resource record group, a TLD authorized resource record group and a signature resource record group; the root authority resource record group is used for recording the starting authority resources and DNSSEC public key resources from the root of the root authority; the root server resource record group is used for recording root server name resources and IP address resources from a root server operator; the TLD authorized resource record group is used for recording TLD authoritative server name resources, IP address resource records and DNSSEC public key abstract resources from TLD authoritativeness; the signature resource record group is used for recording DNSSEC signature related resources from a root authority;
the identity and role module is used for binding the membership and the role type based on distributed membership management to realize access authority control;
the account book module is used for recording local root members, root zone management protocols among the members and root zone data;
the contract module is used for controlling access authority according to the role type and realizing root zone management logic based on the current state of the account book module;
the process of the local root chain subsystem for realizing root zone data management is as follows: and establishing an authorization and authorization relationship between members through the identity and role module, describing the relationship through data recorded by the account book module, and realizing the authorization logic through the contract module.
2. The decentralized DNS root zone management system according to claim 1, wherein said role types in said identity and role module include a local root manager, a local root zone maintainer, a local root server operator, a top-level domain authority and an IANA agent.
3. The system of claim 2, wherein the book module divides the recorded data into four sets of book data, namely, a member book set, a root authority book set, a root server book set and a TLD authority book set according to different data types.
4. The decentralized DNS root zone management system according to claim 3, wherein each set of accounts in said accounts book module includes both protocol accounts books and resource record accounts books.
5. The decentralized DNS root zone management system according to claim 4, wherein each type of book in the book module includes three tables, a status table, an update table and a procedure table.
6. The decentralized DNS root management system according to claim 5, wherein the contract module includes two types of contracts according to different operations of the reconciliation book module: agreement contracts and resource record change contracts; wherein the agreement contract is a contract operating on an agreement book; the resource record change contract is a contract that operates on a resource record book.
7. The decentralized DNS root zone management system according to claim 6, wherein the root authoritative resource record group, root server resource record group and signed resource record group record different content in the local root zone than in the IANA root zone; the content recorded by the TLD authorized resource record group is the same in the local root zone as in the IANA root zone.
8. The decentralized DNS root management system according to claim 7, wherein the right corresponding to the local root administrator includes: auditing a newly added local root manager, negotiating policies on a local root chain, being responsible for member management and role management on the chain in the country, signing a local root service agreement with an operator of a local root server, generating a key signature key in DNSSEC and issuing a root authority resource record group; the authority corresponding to the local root zone maintainer comprises: the method is used for operating local root chain nodes in a local root chain, generating a zone signature key in DNSSEC, generating a local root zone from an account book on the local root chain and issuing the local root zone; the authority corresponding to the local root server operator includes: the system is responsible for operating a local root server, providing domain name resolution service by adopting a local root zone and issuing a local root server resource record group; the authority corresponding to the top-level domain authority comprises: accessing a local root chain and issuing a TLD authorization resource record group; the authority corresponding to the IANA agent comprises the following steps: and writing the TLD authorized resource record which is not on the local root chain into the account book.
9. The decentralized DNS root management system according to claim 8, wherein the method for implementing the root management logic in the contract module is to abstract the data update process logic in the account book module into a general proposal-audit-end three-stage process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110423197.XA CN113132384B (en) | 2021-04-20 | 2021-04-20 | Decentralized DNS root zone management system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110423197.XA CN113132384B (en) | 2021-04-20 | 2021-04-20 | Decentralized DNS root zone management system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113132384A CN113132384A (en) | 2021-07-16 |
| CN113132384B true CN113132384B (en) | 2022-04-19 |
Family
ID=76778055
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110423197.XA Active CN113132384B (en) | 2021-04-20 | 2021-04-20 | Decentralized DNS root zone management system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113132384B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114629823B (en) * | 2022-05-16 | 2022-09-06 | 鹏城实验室 | Server testing and monitoring method and device, terminal equipment and storage medium |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107613041A (en) * | 2017-09-22 | 2018-01-19 | 中国互联网络信息中心 | DNS management system, domain name management method and domain name analytic method based on block chain |
| CN108389045A (en) * | 2018-02-01 | 2018-08-10 | 北京泰尔英福网络科技有限责任公司 | Network identity root zone data managing method based on block chain technology and system |
| CN108768988A (en) * | 2018-05-17 | 2018-11-06 | 深圳前海微众银行股份有限公司 | Block chain access control method, equipment and computer readable storage medium |
| CN110012126A (en) * | 2019-04-02 | 2019-07-12 | 哈尔滨工业大学(深圳) | A kind of DNS system based on block chain technology |
| CN110071810A (en) * | 2019-04-25 | 2019-07-30 | 哈尔滨工业大学 | One card root implementation method certainly based on open source DNS software |
| CN110880966A (en) * | 2019-11-22 | 2020-03-13 | 哈尔滨工业大学 | Domain name resolution system building and domain name query method |
| CN112134967A (en) * | 2020-09-30 | 2020-12-25 | 中国互联网络信息中心 | Domain name resolution method and device based on common control chain |
| CN112153040A (en) * | 2020-09-21 | 2020-12-29 | 中国电子科技网络信息安全有限公司 | Intelligent contract installation, deployment and management method for block chain system application |
| CN112468602A (en) * | 2019-09-06 | 2021-03-09 | 傲为信息技术(江苏)有限公司 | Decentralized domain name registration system and method based on block chain |
| CN112468525A (en) * | 2019-09-06 | 2021-03-09 | 傲为信息技术(江苏)有限公司 | Domain name management system based on block chain |
| CN112468309A (en) * | 2019-09-06 | 2021-03-09 | 傲为信息技术(江苏)有限公司 | Domain name management system based on intelligent contract |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9141717B2 (en) * | 1999-03-22 | 2015-09-22 | Esdr Network Solutions Llc | Methods, systems, products, and devices for processing DNS friendly identifiers |
| CN108064444B (en) * | 2017-04-19 | 2020-05-19 | 北京大学深圳研究生院 | Domain name resolution system based on block chain |
-
2021
- 2021-04-20 CN CN202110423197.XA patent/CN113132384B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107613041A (en) * | 2017-09-22 | 2018-01-19 | 中国互联网络信息中心 | DNS management system, domain name management method and domain name analytic method based on block chain |
| CN108389045A (en) * | 2018-02-01 | 2018-08-10 | 北京泰尔英福网络科技有限责任公司 | Network identity root zone data managing method based on block chain technology and system |
| CN108768988A (en) * | 2018-05-17 | 2018-11-06 | 深圳前海微众银行股份有限公司 | Block chain access control method, equipment and computer readable storage medium |
| CN110012126A (en) * | 2019-04-02 | 2019-07-12 | 哈尔滨工业大学(深圳) | A kind of DNS system based on block chain technology |
| CN110071810A (en) * | 2019-04-25 | 2019-07-30 | 哈尔滨工业大学 | One card root implementation method certainly based on open source DNS software |
| CN112468602A (en) * | 2019-09-06 | 2021-03-09 | 傲为信息技术(江苏)有限公司 | Decentralized domain name registration system and method based on block chain |
| CN112468525A (en) * | 2019-09-06 | 2021-03-09 | 傲为信息技术(江苏)有限公司 | Domain name management system based on block chain |
| CN112468309A (en) * | 2019-09-06 | 2021-03-09 | 傲为信息技术(江苏)有限公司 | Domain name management system based on intelligent contract |
| CN110880966A (en) * | 2019-11-22 | 2020-03-13 | 哈尔滨工业大学 | Domain name resolution system building and domain name query method |
| CN112153040A (en) * | 2020-09-21 | 2020-12-29 | 中国电子科技网络信息安全有限公司 | Intelligent contract installation, deployment and management method for block chain system application |
| CN112134967A (en) * | 2020-09-30 | 2020-12-25 | 中国互联网络信息中心 | Domain name resolution method and device based on common control chain |
Non-Patent Citations (2)
| Title |
|---|
| "Blockchain-Based DNS Root Zone Management Decentralization for Internet of Things";Yu Zhang等;《Wireless Communications and Mobile Computing》;20210208;第1节、第4.2节、第5.5节、第7节 * |
| "基于区块链技术的DNS根域名系统研究与实现";彭林;《万方学位论文》;20201214;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113132384A (en) | 2021-07-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108064444B (en) | Domain name resolution system based on block chain | |
| CN111373704B (en) | Method, system and storage medium for supporting multimode identification network addressing progressive-entry IP | |
| CN108124502B (en) | Top-level domain name management method and system based on alliance chain | |
| CN110572398B (en) | Block chain network control method, device, equipment and storage medium | |
| Carter | LDAP System Administration: Putting Directories to Work | |
| US7617522B2 (en) | Authentication and authorization across autonomous network systems | |
| CN108777699B (en) | Application cross-domain access method based on Internet of things multi-domain collaborative architecture | |
| Chen et al. | BIdM: A blockchain-enabled cross-domain identity management system | |
| Kaminsky et al. | Decentralized user authentication in a global file system | |
| WO2021042785A1 (en) | Smart contract-based domain name management system | |
| CN113824563B (en) | Cross-domain identity authentication method based on block chain certificate | |
| Angieri et al. | A distributed autonomous organization for internet address management | |
| CN113132384B (en) | Decentralized DNS root zone management system | |
| Hepp et al. | Exploring potentials and challenges of blockchain-based public key infrastructures | |
| Liu et al. | A comparative study of blockchain-based dns design | |
| Zhang et al. | Blockchain-based DNS root zone management decentralization for Internet of Things | |
| Laccetti et al. | A framework model for grid security | |
| CN111343292B (en) | Authoritative DNS server information updating method and system | |
| Song et al. | Smart contract-based trusted content retrieval mechanism for NDN | |
| CN113067836B (en) | Intelligent contract system based on decentralized DNS root zone management | |
| CN114116609A (en) | Space authority management method, device and medium based on IPFS | |
| Bertino et al. | Protecting information on the Web | |
| Li et al. | Design and implementation of a scalable distributed DNS system | |
| CN112765203B (en) | Internet code number resource management method and device | |
| Lampson | Practical principles for computer security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |