WO2016082274A1 - Dane extended query method and system supporting carrying of service address information - Google Patents

Dane extended query method and system supporting carrying of service address information Download PDF

Info

Publication number
WO2016082274A1
WO2016082274A1 PCT/CN2014/095172 CN2014095172W WO2016082274A1 WO 2016082274 A1 WO2016082274 A1 WO 2016082274A1 CN 2014095172 W CN2014095172 W CN 2014095172W WO 2016082274 A1 WO2016082274 A1 WO 2016082274A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
client
address information
address
tlsa
Prior art date
Application number
PCT/CN2014/095172
Other languages
French (fr)
Chinese (zh)
Inventor
延志伟
张海阔
胡安磊
李晓东
Original Assignee
中国科学院计算机网络信息中心
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院计算机网络信息中心 filed Critical 中国科学院计算机网络信息中心
Publication of WO2016082274A1 publication Critical patent/WO2016082274A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Definitions

  • the invention belongs to the technical field of network technology and DNS, and particularly relates to a DANE extended query method and system for supporting carrying service address information.
  • TLS Transport Layer Security
  • CA Digital Certification Authority
  • the CA will properly keep its private key, issue a digital certificate for the TLS server, and provide its public key to the TLS client.
  • the TLS client treats the CA's own public key as a "trust anchor" and uses this to verify the validity of the TLS server certificate. After the verification is passed, secure communication can be performed between the TLS server and the client.
  • CA mode allows any CA to issue digital certificates for the TLS server, which makes the system vulnerable.
  • CA violates security commitments, whether for subjective reasons or for objective reasons (such as a private key leak), all of which will result in the loss of security for all digital certificates issued by the CA.
  • Microsoft has issued a CA security alert and found that a CA agency called Comodo issued fraudulent digital certificates, causing damage to websites of companies such as Microsoft and Google.
  • the IETF DANE DNS-Based Authentication of Named Entities
  • TLSA TLSA is only a resource record name, no other meaning
  • DNSSEC Domain Name System Security Extensions
  • the core of the DANE protocol is: relying on DNSSEC (DNSSEC is a series of DNS security authentication mechanisms provided by the IETF (refer to RFC2535). It provides source identification and integrity assurance of DNS data) infrastructure to limit the CAs available to the TLS server. The scope so that the zone operator can declare the range of digital signatures available to the TLS client.
  • TLS clients can only accept digital certificates issued by certain specific CAs. If the digital certificates transmitted by the TLS server are not issued by these specific CAs, the TLS client can view these digital certificates as invalid.
  • the TLS client can only accept a specific digital certificate (or public key) instead of other certificates (or public keys), thus doing a CA digital certificate or public key that can be used for TLS. Further restrictions;
  • TLS client shall use the trust anchor declared by the zone to verify the digital certificate of the zone.
  • the first two categories mainly limit the scope of the existing trust anchor, and the third category provides a new trust anchor for the TLS client.
  • RFC 6698 defines the specific protocol format of the DANE resource record TLSA.
  • the TLSA resource record contains four options: Cert.Usage, Selector, Matching Type, and CertificateAssociation Data.
  • Cert.Usage used to indicate the specific type of declaration; from the above, there are three types: CA restricted type, certificate limited type, and trust anchor point declaration;
  • Matching Type used to indicate how the Certificate Association Data in the TLSA resource record matches the original data in the TLS server digital certificate. There are three ways: the original data is directly matched, and the original data is SHA-256 hashed. Match and perform SHA-512 hash matching on the original data;
  • Certificate Association Data stores related data, the data type is specified by Selector.
  • Alice maintains some Web resources on the zone example.cn.
  • Alice does not want any CA to issue a digital certificate for example.cn.
  • Alice needs to specify a CA (assumed Bob).
  • the digital certificate issued by the CA for example.cn is valid.
  • Alice wants to tell all clients that only Bob's digital certificate is valid, and any other CA's digital certificate is invalid.
  • the TLSA record this desire is easy to implement, and Alice only needs to add the following to the TLSA resource record:
  • the client When it accesses the web resource of example.cn, it can receive the above-mentioned TCPA resource record and use the above content to verify the TLS digital certificate it received from example.cn. If the certificate is issued by Bob, it is valid, otherwise it is invalid.
  • DNSSEC is a set of DNS security authentication mechanisms provided by the IETF to provide an extension of source authentication and data integrity. Although the principle is similar to the CA model, DNSSEC is based on technologies such as digital signature, but it improves the basic CA model in the following three aspects.
  • the key is bound to the domain name in the DNS, not to any identifier, so that it can be used by various Internet protocols;
  • the signed public key can be obtained through the DNS system.
  • the client can query the required public key by simply sending a normal DNS request, and the distribution of the public key is very simple;
  • the key of a zone can only be signed by the key of its parent zone.
  • the key of zone “example.com” can only be signed by zone “.com”
  • the zone of ".com” is dense.
  • the key can only be signed by the root key.
  • the client saves the public key of the trust authority and uses this to verify the legality of the identity information of other entities; the difference is that in DNSSEC, the public key is only stored in a single root domain, but in In the CA model, the public key is stored in a different CA.
  • the DANE protocol provides configuration flexibility for DNS zone operators and adds security for TLS transmissions, but the addition of the DANE protocol increases the latency of the TLS connection process.
  • the TLS client In addition to completing the TLS handshake and digital certificate verification, the TLS client has to wait for several DNS round-trip signaling interactions before it can learn the authenticated certificate and the address of the accessible server. This will cause the TLS connection to be extended for a few seconds, making some real-time services unbearable. This is mainly because the DANE query needs to generate a domain name containing special prefix information.
  • the prefix contains the port number supporting the TLS service and the corresponding protocol type, such as:
  • the address information (A record or AAAA record) of the client query server and its TLSA record become two separate steps, which leads to unnecessary increase of protocol overhead and increase of service delay.
  • the present invention is directed to the above problem, and provides a DANE extended query method and system for supporting carrying service address information.
  • the DANE protocol extension mechanism is implemented, which can significantly improve the entire domain name resolution process. s efficiency.
  • the present invention adopts the following technical solutions:
  • a DANE extended query method supporting carrying service address information includes the following steps:
  • the client sends a DNS request message for querying the TLSA resource record, where the head of the DNS request message is provided with a service address (SA) flag;
  • SA service address
  • the recursive server and the authoritative server respond to the DNS request message sent by the client, fill in the corresponding address information according to the setting of the service address flag, and return the address information and the TLSA resource record to the client through the response packet.
  • the service address flag is a two-bit flag, and the values are 00, 01, 10, and 11, and the meanings are as follows:
  • the client does not request any address information of the server
  • the client requests to carry the IPv4 address information of the server while returning the TLSA resource record, and the DNS response message includes not only the server's OTLS resource record but also at least one 32-bit IPv4 address;
  • the client requests to carry the IPv6 address information of the server while returning the TLSA resource record, and the DNS response message includes not only the server's OTLS resource record but also at least one 128-bit IPv6 address;
  • the client requests to carry the IPv4 and IPv6 address information of the server while returning the TLSA resource record.
  • the DNS response message includes not only the server's TTLS resource record, but also at least one 32-bit IPv4 address and at least one 128-bit IPv6 address.
  • step 2) is implemented by using a recursive server mode: after receiving the DNS request message of the client, the recursive server constructs a corresponding A record query request and/or AAAA record query request according to the service address flag and the service domain name to be queried, and The new request message is sent to the corresponding authoritative server. After receiving the TLSA and A/AAAA record query response from the authoritative server, the recursive server returns it to the client.
  • step 2) is implemented by using an authoritative server mode: the recursive server sends the DNS request message received from the client to the corresponding authoritative server without modification, and the authoritative server constructs a response message according to the setting of the service address flag bit, and sends the response message. The recursive server is then sent to the client.
  • a DANE extended query system supporting the service address information comprising a client, a recursive server and an authoritative server, wherein the header of the DNS request message sent by the client is provided with a service address (Service Address) , SA) flag bit; when the recursive server and the authoritative server respond to the DNS request message sent by the client, the corresponding address information is filled according to the setting of the service address flag bit, and the address information and the TLSA resource record are passed through the response packet.
  • SA Service Address
  • the invention realizes supporting bearer service address letter by adding flag bits and data fields in its OTLS resource record.
  • the DANE extension mechanism and the DNS query based on the extension mechanism reduce the delay of the TLS connection process, optimize the transmission overhead between the client and the recursive server, and the authoritative server, and significantly improve the efficiency of the entire domain name resolution process. .
  • 1 is a schematic diagram of an extended DNS request message in an embodiment.
  • FIG. 2 is a flow chart of an extended DNS query in an embodiment.
  • the invention extends the DANE protocol, adds a flag bit and a data field in its TLSA resource record, and standardizes its protocol flow.
  • the main contents include: adding a two-bit SA (Service Address) flag in the DNS message header. Bit; specifies the 32-bit data field containing the IPv4 address and the 128-bit data field containing the IPv6 address when querying the TLSA resource record; defines the rules and extended DANE protocol flow using the SA flag and its data fields.
  • SA Service Address
  • the SA flag is a two-bit flag, and its validity is only present in the type of DNS request message.
  • the header format of the extended DNS request message of the present invention is as shown in FIG. 1:
  • the SA values are 00, 01, 10, and 11.
  • the meanings are as follows:
  • ⁇ 00 The client does not request any address information of the server
  • ⁇ 01 The client requests to carry the IPv4 address information of the server while returning the TLSA resource record. If the value is set, the DNS response message should include not only the server's OTLS resource record, but also at least one 32-bit IPv4 address.
  • ⁇ 10 The client requests to carry the IPv6 address information of the server while returning the TLSA resource record. If the value is set, the DNS response message should include not only the server's OTLS resource record, but also at least one 128-bit IPv6 address.
  • ⁇ 11 The client requests to carry the IPv4 and IPv6 address information of the server while returning the TLSA resource record. If this value is set, the DNS response message should include not only the server's OTLS resource record, but also at least one 32-bit IPv4 address. At least one 128-bit IPv6 address.
  • the present invention is directed to returning one or more IP addresses in accordance with client requirements in a scalable manner in a TCPA request process. Therefore, it can be fully compatible with the response format using basic DNS messages, so two mechanisms for carrying address information are proposed:
  • the address information is placed after the TLSA RDATA, so as to flexibly support multiple address information (since the TLSA resource record has only one, the RDLENGTH in the response message can control the size of the RDATA).
  • the type of the address to be included should be indicated, which can be indicated by the TYPE in the response message.
  • the value of TYPE is not specified in the present invention, but in practical applications, the following four types need to be distinguished by TYPE:
  • Contains TLSA, A, and AAAA resource records.
  • the number of A and AAAA resource records can be indicated by RDLENGTH in the legacy DNS response message. If the relevant address cannot be returned according to the request type, the error indication should be made in the response message, but the service address should be returned as much as possible. For example, the client requests A and AAAA resource records, but the server does not support IPv6, only the A resource record is returned. .
  • Another embodiment is to carry the above address information in the Additional field of the DNS response packet.
  • the present invention proposes two query modes:
  • the client that wishes to query the TLSA record and return the service address information first sets the SA flag in the DNS request message. After receiving the DNS request message from the client, the recursive server finds that there is a SA flag set other than 00. It will be considered that the client wants to obtain the TLSA record and can obtain the address information of the service. The recursive server will further query according to the SA flag and pending query.
  • the service domain name constructs a corresponding A record query request or (and) AAAA record query request, and sends the new request message independently to the corresponding authoritative server.
  • the recursive server After receiving the TLSA and A/AAAA record query response, the recursive server returns to the client in two modes: 1) constructing a response message, in which the corresponding address information is filled according to the SA flag bit indication; 2) receiving the query of the domain name The response is immediately transmitted to the client in the return order.
  • the recursive server sends the DNS query request message received from the client to the corresponding authoritative server without modification.
  • the authoritative server constructs a response message according to the setting of the SA flag bit, and sends it back to the recursive server. And sent to the client.
  • the authoritative server does not need to support the mechanism proposed by the present invention, but its optimization degree to the basic protocol is low, that is, only the transmission overhead between the client and the recursive server is optimized; in the authoritative server mode, the authoritative server It is necessary to support the mechanism proposed by the present invention, and of course, to achieve maximum optimization, and significantly improve the efficiency of the entire domain name resolution process. For the latter, you should choose how to carry the address information (that is, whether it is placed in the Additional field) according to the specific implementation.
  • the client wants to access the HTTP server running TLS on port 443.
  • the server domain name is www.example.com
  • the corresponding domain name of the TLSA resource record is _443._tcp.www.example.com.
  • the client does not have the service address of www.example.com and wants to access the service via IPv4 or IPv6. Therefore, the query through the two modes is shown in Figure 2.
  • the client In the mode (1), that is, the recursive server mode, the client first sends a DNS request, where the query domain name is _443._tcp.www.example.com, indicating that the domain name of the TTLS resource record is queried, and the request message includes the setting.
  • the SA flag of 11 indicates that the client wants to query the A and AAAA resource records corresponding to the domain name.
  • the data packet After receiving the recursive server, the data packet is split into a DNS request for querying the TCPA type and a DNS request for querying the ANY type of www.example.com (including the DNS request type of multiple records such as A and AAAA of the domain name). Both messages are normal DNS requests, so there is no SA flag.
  • the authoritative server responds to it separately and sends it to the client by the recursive server.
  • the client In the mode (2), that is, the authoritative server mode, the client first sends a DNS request, where the query domain name is _443._tcp.www.example.com, indicating that the domain name of the TTLS resource record is queried, and the request message includes the setting.
  • the SA flag of 11 indicates that the client wants to query the A and AAAA resource records corresponding to the domain name.
  • the recursive server directly forwards the query data packet authoritative server. After receiving the query request, the authoritative server realizes that the recursive server wants to obtain the KSA of the domain name and the corresponding address information. So construct a response packet, which also contains the SA flag set to 11, which is then sent to the client by the recursive server.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a DANE extended query method and system supporting carrying of service address information. The method comprises: a client sends a DNS request message for querying a TLSA resource record, the header of the DNS request message being set with a service address flag bit; and in response to the DNS request message sent by the client, a recursive server and an authorized server fill in corresponding address information according to the setting of the service address flag bit, and return the address information and the TLSA resource record to the client through a response data packet. According to the present invention, the flag bit and a data field are added in the TLSA resource record to achieve an extended mechanism of the DANE protocol, and the efficiency of the whole domain name resolution process can be remarkably improved.

Description

支持携带服务地址信息的DANE扩展查询方法和系统DANE extended query method and system supporting carrying service address information 技术领域Technical field
本发明属于网络技术、DNS技术领域,具体涉及一种支持携带服务地址信息的DANE扩展查询方法和系统。The invention belongs to the technical field of network technology and DNS, and particularly relates to a DANE extended query method and system for supporting carrying service address information.
背景技术Background technique
通过互联网进行通信的应用程序面临信息被偷听、篡改或伪造的威胁,为此,当前互联网上有安全需求的数据传输一般采用传输层安全(Transport Layer Security,TLS)协议,对信道进行加密,来确保数据的完整性、机密性。TLS协议利用密钥算法在互联网上提供端点身份认证与通信保密,其基础是数字认证机构(Certification Authority,CA),即通过数字证书来绑定公钥与相关信息(包括所有者的名字、CA名称、公钥的有效期、CA的数字签名等)。CA机构会妥善保管其私钥,为TLS服务器签发数字证书,并将其公钥提供给TLS客户端。TLS客户端将CA机构自己的公钥视为“信任锚点”,并以此来验证TLS服务器证书的有效性。验证通过后,TLS服务器与客户端之间就可以进行安全通信了。上述公共CA模式虽应用广泛,但仍存在不尽如人意的地方,给信息的安全传输带来隐患:CA模式允许任何CA为TLS服务器签发数字证书,这会使系统变得脆弱,一旦某个CA违背安全承诺,不管是因为主观原因还是客观原因(如私钥发生泄漏),都必将造成该CA签发的所有数字证书失去安全功能。例如,微软曾发布过一条CA安全预警,发现一家名为Comodo的CA机构颁发了欺骗性的数字证书,给微软、谷歌等公司的网站带来损害。Applications that communicate over the Internet face the threat of eavesdropping, tampering, or forgery. For this reason, data transmissions with security requirements on the Internet generally use Transport Layer Security (TLS) to encrypt channels. To ensure the integrity and confidentiality of the data. The TLS protocol uses the key algorithm to provide endpoint identity authentication and communication privacy over the Internet. The basis is the Digital Certification Authority (CA), which binds the public key and related information (including the owner's name, CA) through a digital certificate. Name, validity period of the public key, digital signature of the CA, etc.). The CA will properly keep its private key, issue a digital certificate for the TLS server, and provide its public key to the TLS client. The TLS client treats the CA's own public key as a "trust anchor" and uses this to verify the validity of the TLS server certificate. After the verification is passed, secure communication can be performed between the TLS server and the client. Although the above public CA mode is widely used, there are still some unsatisfactory places, which brings hidden dangers to the secure transmission of information: CA mode allows any CA to issue digital certificates for the TLS server, which makes the system vulnerable. CA violates security commitments, whether for subjective reasons or for objective reasons (such as a private key leak), all of which will result in the loss of security for all digital certificates issued by the CA. For example, Microsoft has issued a CA security alert and found that a CA agency called Comodo issued fraudulent digital certificates, causing damage to websites of companies such as Microsoft and Google.
为此,IETF DANE(DNS-Based Authentication of Named Entities,基于DNS的命名实体认证)工作组设计了一种新的DNS资源记录TLSA(TLSA仅是一种资源记录的名称,无其它含义),以使用DNSSEC(Domain Name System Security Extensions,DNS安全扩展)基础设施来保存TLS协议中用到的数字证书或公钥。DANE协议的核心是:依托DNSSEC(DNSSEC是由IETF提供的一系列DNS安全认证的机制(可参考RFC2535)。它提供了DNS数据的来源鉴定和完整性保证)基础设施来限制TLS服务器可用的CA范围,从而使区(zone)操作员可以声明可供TLS客户端使用的数字签名的范围。To this end, the IETF DANE (DNS-Based Authentication of Named Entities) working group designed a new DNS resource record, TLSA (TLSA is only a resource record name, no other meaning), The DNSSEC (Domain Name System Security Extensions) infrastructure is used to store digital certificates or public keys used in the TLS protocol. The core of the DANE protocol is: relying on DNSSEC (DNSSEC is a series of DNS security authentication mechanisms provided by the IETF (refer to RFC2535). It provides source identification and integrity assurance of DNS data) infrastructure to limit the CAs available to the TLS server. The scope so that the zone operator can declare the range of digital signatures available to the TLS client.
具体而言,此类声明分为三大类:Specifically, such statements fall into three broad categories:
(1)CA限制声明:TLS客户端只能接受某些特定CA颁发的数字证书,若TLS服务器传输的数字证书不是由这些特定的CA所颁发,则TLS客户端可视这些数字证书为无效; (1) CA restriction statement: TLS clients can only accept digital certificates issued by certain specific CAs. If the digital certificates transmitted by the TLS server are not issued by these specific CAs, the TLS client can view these digital certificates as invalid.
(2)证书限制声明:TLS客户端只能接受某个特定的数字证书(或公钥),而不是其它证书(或公钥),这样就对TLS能用的CA数字证书或公钥做了进一步限制;(2) Certificate Restriction Statement: The TLS client can only accept a specific digital certificate (or public key) instead of other certificates (or public keys), thus doing a CA digital certificate or public key that can be used for TLS. Further restrictions;
(3)信任锚点声明:TLS客户端应使用由该区声明的信任锚点来验证该区的数字证书。(3) Trust Anchor Statement: The TLS client shall use the trust anchor declared by the zone to verify the digital certificate of the zone.
所有上述三类声明均可视为对信任锚点范围的限制,前两类主要限制当前已有信任锚点的范围,而第三类为TLS客户端提供了一个新的信任锚点。All of the above three types of declarations can be considered as restrictions on the scope of the trust anchor. The first two categories mainly limit the scope of the existing trust anchor, and the third category provides a new trust anchor for the TLS client.
RFC6698定义了DANE资源记录TLSA的具体协议格式,TLSA资源记录包含四个选项,分别为:Cert.Usage、Selector、Matching Type和CertificateAssociation Data。RFC 6698 defines the specific protocol format of the DANE resource record TLSA. The TLSA resource record contains four options: Cert.Usage, Selector, Matching Type, and CertificateAssociation Data.
其作用分别为:Their roles are:
(1)Cert.Usage:用来指示声明的具体类型;由上可知,共分三种类型:CA限制型、证书限制型、信任锚点声明;(1) Cert.Usage: used to indicate the specific type of declaration; from the above, there are three types: CA restricted type, certificate limited type, and trust anchor point declaration;
(2)Selector:用来指示Certificate Association Data中所存的数据来自TLS服务器证书中的哪一部分;Selector有两个选项:一个用于指示所存数据为数字证书,另一个用于指示所存数据为公钥;(2) Selector: used to indicate which part of the TLS server certificate the data stored in the Certificate Association Data comes from; the Selector has two options: one for indicating that the stored data is a digital certificate and the other for indicating that the stored data is a public key. ;
(3)Matching Type:用来指示TLSA资源记录中的Certificate Association Data如何与TLS服务器数字证书中的原始数据进行匹配;共有三种方式:原始数据直接匹配、对原始数据进行SHA-256哈希后匹配、对原始数据进行SHA-512哈希后匹配;(3) Matching Type: used to indicate how the Certificate Association Data in the TLSA resource record matches the original data in the TLS server digital certificate. There are three ways: the original data is directly matched, and the original data is SHA-256 hashed. Match and perform SHA-512 hash matching on the original data;
(4)Certificate Association Data:存储相关数据,数据类型由Selector指定。(4) Certificate Association Data: stores related data, the data type is specified by Selector.
现举例说明DANE原理如下:The example of DANE is as follows:
假设Alice在区example.cn上维护着一些Web资源,为确保该域名的安全运行,Alice不希望随便哪个CA都可以为example.cn颁发数字证书,则Alice需要指定某个CA(假设为Bob),且只有由该CA为example.cn颁发的数字证书才有效。此时,Alice希望告诉所有的客户端:只有Bob的数字证书才是有效的,其它任何CA的数字证书都是无效的。有了TLSA记录,这一愿望就很容易实现,Alice只需在TLSA资源记录中增加以下内容:Suppose Alice maintains some Web resources on the zone example.cn. In order to ensure the safe operation of the domain name, Alice does not want any CA to issue a digital certificate for example.cn. Alice needs to specify a CA (assumed Bob). And only the digital certificate issued by the CA for example.cn is valid. At this point, Alice wants to tell all clients that only Bob's digital certificate is valid, and any other CA's digital certificate is invalid. With the TLSA record, this desire is easy to implement, and Alice only needs to add the following to the TLSA resource record:
● Usage:限制CA● Usage: Limit CA
● Selector:数字证书● Selector: Digital certificate
● Matching Type:SHA-256哈希● Matching Type: SHA-256 hash
● Certificate Association Data:Bob数字证书的SHA-256哈希值● Certificate Association Data: SHA-256 hash of the Bob digital certificate
假设客户端为Charlie,在其访问example.cn的Web资源时,可以收到上述TLSA资源记录,并使用上述内容来验证其收到的、来自example.cn的TLS数字证书。若该证书由Bob签发,则有效,否则无效。 Suppose the client is Charlie. When it accesses the web resource of example.cn, it can receive the above-mentioned TCPA resource record and use the above content to verify the TLS digital certificate it received from example.cn. If the certificate is issued by Bob, it is valid, otherwise it is invalid.
DANE协议使用DNSSEC基础设施来保存TLS协议中用到的数字证书或公钥,这使得DANE协议继承了DNSSEC协议的各种优点。DNSSEC是由IETF提供的一系列DNS安全认证机制,用于提供一种关于来源鉴定和数据完整性的扩展。虽然原理与CA模型类似,DNSSEC也是基于数字签名等技术,但它在以下三个方面对基础的CA模型做了改进。The DANE protocol uses the DNSSEC infrastructure to hold the digital certificates or public keys used in the TLS protocol, which allows the DANE protocol to inherit the various advantages of the DNSSEC protocol. DNSSEC is a set of DNS security authentication mechanisms provided by the IETF to provide an extension of source authentication and data integrity. Although the principle is similar to the CA model, DNSSEC is based on technologies such as digital signature, but it improves the basic CA model in the following three aspects.
(1)密钥是与DNS中的域名相绑定,而不是与任意的标识符相绑定,以便各类互联网协议使用;(1) The key is bound to the domain name in the DNS, not to any identifier, so that it can be used by various Internet protocols;
(2)签名后的公钥可以通过DNS系统来获取,客户端只需发送一个普通的DNS请求就可以查询到所需的公钥,公钥的分发非常简单;(2) The signed public key can be obtained through the DNS system. The client can query the required public key by simply sending a normal DNS request, and the distribution of the public key is very simple;
(3)一个区的密钥只能由其父区的密钥来签名,例如,区“example.com”的密钥只能由区“.com”来签名,而区“.com”的密钥只能由根密钥来签名。(3) The key of a zone can only be signed by the key of its parent zone. For example, the key of zone "example.com" can only be signed by zone ".com", and the zone of ".com" is dense. The key can only be signed by the root key.
在CA模型和DNSSEC中,客户端都保存了信任机构的公钥并用此来验证其它实体身份信息的合法性;不同的是,在DNSSEC中,该公钥只保存在单个根域中,而在CA模型中,公钥却保存在不同的CA中。In the CA model and DNSSEC, the client saves the public key of the trust authority and uses this to verify the legality of the identity information of other entities; the difference is that in DNSSEC, the public key is only stored in a single root domain, but in In the CA model, the public key is stored in a different CA.
DANE协议为DNS区操作员带来了配置灵活性,为TLS传输增加了安全性,但DANE协议的加入会增大TLS连接过程的延时。除完成TLS握手以及数字证书验证之外,TLS客户端还需等待若干个DNS往返信令交互后才能获知经验证的证书以及可访问的服务器地址。这将导致TLS连接建立时延长达数秒,使一些实时性较高的业务无法忍受。这主要由于DANE的查询需要生成一个包含特殊前缀信息的域名,前缀中包含支持TLS服务的端口号和对应的协议类型,如:The DANE protocol provides configuration flexibility for DNS zone operators and adds security for TLS transmissions, but the addition of the DANE protocol increases the latency of the TLS connection process. In addition to completing the TLS handshake and digital certificate verification, the TLS client has to wait for several DNS round-trip signaling interactions before it can learn the authenticated certificate and the address of the accessible server. This will cause the TLS connection to be extended for a few seconds, making some real-time services unbearable. This is mainly because the DANE query needs to generate a domain name containing special prefix information. The prefix contains the port number supporting the TLS service and the corresponding protocol type, such as:
1)如请求一个在443端口运行TLS的HTTP服务器,服务器域名为www.example.com,那么查询的TLSA资源记录对应域名为:_443._tcp.www.example.com;1) If you request an HTTP server running TLS on port 443, the server domain name is www.example.com, then the corresponding domain name of the TLSA resource record is _443._tcp.www.example.com;
2)如请求一个在25端口运行STARTTLS的SMTP服务器,服务器域名为mail.example.com,那么查询的TLSA资源记录对应域名为:_25._tcp.mail.example.com。2) If you request an SMTP server running STARTTLS on port 25, the server domain name is mail.example.com, then the corresponding domain name of the TLSA resource record is _25._tcp.mail.example.com.
因此,客户端查询服务器的地址信息(A记录或AAAA记录)与其TLSA记录成为两个分离的步骤,带来了协议开销的不必要增大和服务时延的增加。Therefore, the address information (A record or AAAA record) of the client query server and its TLSA record become two separate steps, which leads to unnecessary increase of protocol overhead and increase of service delay.
发明内容Summary of the invention
本发明针对上述问题,提供一种支持携带服务地址信息的DANE扩展查询方法和系统,通过在其TLSA资源记录中增加标志位和数据字段实现了DANE协议的扩展机制,能够显著提高整个域名解析流程的效率。 The present invention is directed to the above problem, and provides a DANE extended query method and system for supporting carrying service address information. By adding a flag bit and a data field in the TLSA resource record, the DANE protocol extension mechanism is implemented, which can significantly improve the entire domain name resolution process. s efficiency.
为实现上述目的,本发明采用如下技术方案:To achieve the above object, the present invention adopts the following technical solutions:
一种支持携带服务地址信息的DANE扩展查询方法,包括如下步骤:A DANE extended query method supporting carrying service address information includes the following steps:
1)客户端发送查询TLSA资源记录的DNS请求消息,所述DNS请求消息的头部设有服务地址(Service Address,SA)标志位;1) The client sends a DNS request message for querying the TLSA resource record, where the head of the DNS request message is provided with a service address (SA) flag;
2)递归服务器和权威服务器响应客户端发来的DNS请求消息,根据所述服务地址标志位的设置情况填充对应的地址信息,将该地址信息和TLSA资源记录通过响应数据包返回给客户端。2) The recursive server and the authoritative server respond to the DNS request message sent by the client, fill in the corresponding address information according to the setting of the service address flag, and return the address information and the TLSA resource record to the client through the response packet.
进一步地,所述服务地址标志位为两比特标志位,其取值为00、01、10和11,其含义分别如下:Further, the service address flag is a two-bit flag, and the values are 00, 01, 10, and 11, and the meanings are as follows:
00:客户端不请求服务器的任何地址信息;00: The client does not request any address information of the server;
01:客户端请求在TLSA资源记录返回同时携带服务器的IPv4地址信息,在DNS响应消息中不仅包含服务器的TLSA资源记录,还携带至少一个32比特的IPv4地址;01: The client requests to carry the IPv4 address information of the server while returning the TLSA resource record, and the DNS response message includes not only the server's OTLS resource record but also at least one 32-bit IPv4 address;
10:客户端请求在TLSA资源记录返回同时携带服务器的IPv6地址信息,在DNS响应消息中不仅包含服务器的TLSA资源记录,还携带至少一个128比特的IPv6地址;10: The client requests to carry the IPv6 address information of the server while returning the TLSA resource record, and the DNS response message includes not only the server's OTLS resource record but also at least one 128-bit IPv6 address;
11:客户端请求在TLSA资源记录返回同时携带服务器的IPv4和IPv6地址信息,在DNS响应消息中不仅包含服务器的TLSA资源记录,还携带至少一个32比特IPv4地址以及至少一个128比特的IPv6地址。11: The client requests to carry the IPv4 and IPv6 address information of the server while returning the TLSA resource record. The DNS response message includes not only the server's TTLS resource record, but also at least one 32-bit IPv4 address and at least one 128-bit IPv6 address.
进一步地,步骤2)采用递归服务器模式实现:递归服务器接收到客户端的DNS请求消息之后,根据服务地址标志位和待查询的服务域名构造对应的A记录查询请求和/或AAAA记录查询请求,并将新的请求消息发送给对应的权威服务器,递归服务器从权威服务器接收到TLSA以及A/AAAA记录查询应答后,将其返回给客户端。Further, step 2) is implemented by using a recursive server mode: after receiving the DNS request message of the client, the recursive server constructs a corresponding A record query request and/or AAAA record query request according to the service address flag and the service domain name to be queried, and The new request message is sent to the corresponding authoritative server. After receiving the TLSA and A/AAAA record query response from the authoritative server, the recursive server returns it to the client.
进一步地,步骤2)采用权威服务器模式实现:递归服务器把从客户端接收到的DNS请求消息不修改地发送给对应的权威服务器,权威服务器根据服务地址标志位的设置情况构造响应消息,并发送回递归服务器进而发送给客户端。Further, step 2) is implemented by using an authoritative server mode: the recursive server sends the DNS request message received from the client to the corresponding authoritative server without modification, and the authoritative server constructs a response message according to the setting of the service address flag bit, and sends the response message. The recursive server is then sent to the client.
一种采用上述方法的支持携带服务地址信息的DANE扩展查询系统,包括客户端、递归服务器和权威服务器,其特征在于,所述客户端发出的DNS请求消息的头部设有服务地址(Service Address,SA)标志位;递归服务器和权威服务器响应客户端发来的DNS请求消息时,根据所述服务地址标志位的设置情况填充对应的地址信息,将该地址信息和TLSA资源记录通过响应数据包返回给客户端。A DANE extended query system supporting the service address information, comprising a client, a recursive server and an authoritative server, wherein the header of the DNS request message sent by the client is provided with a service address (Service Address) , SA) flag bit; when the recursive server and the authoritative server respond to the DNS request message sent by the client, the corresponding address information is filled according to the setting of the service address flag bit, and the address information and the TLSA resource record are passed through the response packet. Return to the client.
本发明通过在其TLSA资源记录中增加标志位和数据字段,实现了支持携带服务地址信 息的DANE扩展机制,以及基于该扩展机制的DNS查询,减小了TLS连接过程的延时,优化了客户端与递归服务器、权威服务器之间的传输开销,显著提高了整个域名解析流程的效率。The invention realizes supporting bearer service address letter by adding flag bits and data fields in its OTLS resource record. The DANE extension mechanism and the DNS query based on the extension mechanism reduce the delay of the TLS connection process, optimize the transmission overhead between the client and the recursive server, and the authoritative server, and significantly improve the efficiency of the entire domain name resolution process. .
附图说明DRAWINGS
图1是实施例中扩展的DNS请求消息示意图。1 is a schematic diagram of an extended DNS request message in an embodiment.
图2是实施例中扩展的DNS查询流程图。2 is a flow chart of an extended DNS query in an embodiment.
具体实施方式detailed description
下面通过具体实施例和附图,对本发明做进一步说明。The invention will be further illustrated by the following specific examples and the accompanying drawings.
本发明扩展了DANE协议,在其TLSA资源记录中增加了标志位和数据字段,并规范了其协议流程,主要内容包括:在DNS消息头部增加两比特的SA(Service Address,服务地址)标志位;规范了在查询TLSA资源记录时如何包含IPv4地址的32比特数据字段和包含IPv6地址的128比特数据字段;定义了使用SA标志位及其数据字段的规则和扩展的DANE协议流程。The invention extends the DANE protocol, adds a flag bit and a data field in its TLSA resource record, and standardizes its protocol flow. The main contents include: adding a two-bit SA (Service Address) flag in the DNS message header. Bit; specifies the 32-bit data field containing the IPv4 address and the 128-bit data field containing the IPv6 address when querying the TLSA resource record; defines the rules and extended DANE protocol flow using the SA flag and its data fields.
1)SA标志位1) SA flag
SA标志位为两比特标志位,其有效性仅存在于DNS请求消息的类型的TLSA,本发明扩展后的DNS请求消息头部格式如图1所示:The SA flag is a two-bit flag, and its validity is only present in the type of DNS request message. The header format of the extended DNS request message of the present invention is as shown in FIG. 1:
SA取值为00、01、10和11。其含义分别如下:The SA values are 00, 01, 10, and 11. The meanings are as follows:
● 00:客户端不请求服务器的任何地址信息;● 00: The client does not request any address information of the server;
● 01:客户端请求在TLSA资源记录返回同时携带服务器的IPv4地址信息,如果置此值,在DNS响应消息中不仅应包含服务器的TLSA资源记录,还应携带至少一个32比特的IPv4地址;● 01: The client requests to carry the IPv4 address information of the server while returning the TLSA resource record. If the value is set, the DNS response message should include not only the server's OTLS resource record, but also at least one 32-bit IPv4 address.
● 10:客户端请求在TLSA资源记录返回同时携带服务器的IPv6地址信息,如果置此值,在DNS响应消息中不仅应包含服务器的TLSA资源记录,还应携带至少一个128比特的IPv6地址;● 10: The client requests to carry the IPv6 address information of the server while returning the TLSA resource record. If the value is set, the DNS response message should include not only the server's OTLS resource record, but also at least one 128-bit IPv6 address.
● 11:客户端请求在TLSA资源记录返回同时携带服务器的IPv4和IPv6地址信息,如果置此值,在DNS响应消息中不仅应包含服务器的TLSA资源记录,还应携带至少一个32比特IPv4地址以及至少一个128比特的IPv6地址。● 11: The client requests to carry the IPv4 and IPv6 address information of the server while returning the TLSA resource record. If this value is set, the DNS response message should include not only the server's OTLS resource record, but also at least one 32-bit IPv4 address. At least one 128-bit IPv6 address.
上述SA的四个取值只是标识作用,因此也可以采用其它顺序对应上述四种含义,比如 01也可以用来表示00的含义,00也可以用来表示01的含义等,本发明不受此限制。The four values of the foregoing SA are only for the identification function, so other sequences may be used to correspond to the above four meanings, for example, 01 can also be used to indicate the meaning of 00, 00 can also be used to indicate the meaning of 01, etc., and the present invention is not limited thereto.
2)地址信息2) Address information
本发明旨在以可扩展的方式在一个TLSA请求过程中按照客户端需求返回一个或多个IP地址。因此,可以完全兼容使用基本DNS消息的响应格式,故提出两种携带地址信息的机制:The present invention is directed to returning one or more IP addresses in accordance with client requirements in a scalable manner in a TCPA request process. Therefore, it can be fully compatible with the response format using basic DNS messages, so two mechanisms for carrying address information are proposed:
(1)将地址信息放置在TLSA RDATA之后,以此来灵活支持多个地址信息(由于TLSA资源记录只有一个,其响应消息中的RDLENGTH可以控制RDATA的大小)。此外,在DNS响应消息中,应该指示所包含的地址的类型,可以通过响应消息中的TYPE进行指示。在本发明中暂不规定TYPE的取值,但在实际应用中需要通过TYPE区分如下四种类型:(1) The address information is placed after the TLSA RDATA, so as to flexibly support multiple address information (since the TLSA resource record has only one, the RDLENGTH in the response message can control the size of the RDATA). In addition, in the DNS response message, the type of the address to be included should be indicated, which can be indicated by the TYPE in the response message. In the present invention, the value of TYPE is not specified in the present invention, but in practical applications, the following four types need to be distinguished by TYPE:
●仅包含TLSA资源记录;● Only contain TLSA resource records;
●包含TLSA资源记录和A资源记录;● Contains TLSA resource records and A resource records;
●包含TLSA资源记录和AAAA资源记录;● Contains TLSA resource records and AAAA resource records;
●包含TLSA、A和AAAA资源记录。● Contains TLSA, A, and AAAA resource records.
A与AAAA资源记录的数量可以通过传统DNS响应消息中的RDLENGTH指示。如不能按照请求类型返回相关地址,则应在响应消息中进行错误指示,但尽可能返回服务地址,例如:客户端请求A和AAAA资源记录,但服务器并不支持IPv6,则只返回A资源记录。The number of A and AAAA resource records can be indicated by RDLENGTH in the legacy DNS response message. If the relevant address cannot be returned according to the request type, the error indication should be made in the response message, but the service address should be returned as much as possible. For example, the client requests A and AAAA resource records, but the server does not support IPv6, only the A resource record is returned. .
(2)另一种实施方案是在DNS响应数据包的Additional字段中携带上述地址信息。(2) Another embodiment is to carry the above address information in the Additional field of the DNS response packet.
3)查询模式3) Query mode
基于此扩展机制的实际应用场景,本发明提出两种查询模式:Based on the actual application scenario of this extension mechanism, the present invention proposes two query modes:
●递归服务器模式● Recursive server mode
在此模式下,希望查询TLSA记录同时返回服务地址信息的客户端首先在DNS请求消息中设置SA标志位。递归服务器接收到客户端的DNS请求消息之后,发现其中有非00的SA标志位设置,将认为客户端希望获得TLSA记录同时能得到该服务的地址信息,递归服务器进一步将根据SA标志位和待查询的服务域名构造对应的A记录查询请求或(和)AAAA记录查询请求,并将新的请求消息独立发送给对应的权威服务器。In this mode, the client that wishes to query the TLSA record and return the service address information first sets the SA flag in the DNS request message. After receiving the DNS request message from the client, the recursive server finds that there is a SA flag set other than 00. It will be considered that the client wants to obtain the TLSA record and can obtain the address information of the service. The recursive server will further query according to the SA flag and pending query. The service domain name constructs a corresponding A record query request or (and) AAAA record query request, and sends the new request message independently to the corresponding authoritative server.
递归服务器接收到TLSA以及A/AAAA记录查询应答后,以两种模式返回给客户端:1)构造一个响应消息,其中按照SA标志位指示填充对应的地址信息;2)接收到该域名的查询响应就立刻按返回顺序传输给客户端。After receiving the TLSA and A/AAAA record query response, the recursive server returns to the client in two modes: 1) constructing a response message, in which the corresponding address information is filled according to the SA flag bit indication; 2) receiving the query of the domain name The response is immediately transmitted to the client in the return order.
●权威服务器模式● Authoritative server mode
在此模式下,递归服务器把从客户端接收到的DNS查询请求消息不修改地发送给对应的权威服务器,权威服务器根据SA标志位的设置情况构造响应消息,并发送回递归服务器进 而发送给客户端。In this mode, the recursive server sends the DNS query request message received from the client to the corresponding authoritative server without modification. The authoritative server constructs a response message according to the setting of the SA flag bit, and sends it back to the recursive server. And sent to the client.
●比较●Compar
在递归服务器模式下,权威服务器无需支持本发明所提机制,但其对于基本协议的优化程度较低,即仅优化了客户端和递归服务器之间的传输开销;在权威服务器模式下,权威服务器需支持本发明所提机制,当然也实现了最大限度的优化,显著提高了整个域名解析流程的效率。对于后者,应根据具体实施选择如何携带地址信息(即是否放在Additional字段中)。In the recursive server mode, the authoritative server does not need to support the mechanism proposed by the present invention, but its optimization degree to the basic protocol is low, that is, only the transmission overhead between the client and the recursive server is optimized; in the authoritative server mode, the authoritative server It is necessary to support the mechanism proposed by the present invention, and of course, to achieve maximum optimization, and significantly improve the efficiency of the entire domain name resolution process. For the latter, you should choose how to carry the address information (that is, whether it is placed in the Additional field) according to the specific implementation.
4)示例4) Example
本实施例中,客户端希望访问在443端口运行TLS的HTTP服务器,服务器域名为www.example.com,那么查询的TLSA资源记录对应域名为_443._tcp.www.example.com。假设客户端没有www.example.com的服务地址,并希望能通过IPv4或IPv6访问该服务。因此通过两种模式的查询如图2所示。In this embodiment, the client wants to access the HTTP server running TLS on port 443. The server domain name is www.example.com, and the corresponding domain name of the TLSA resource record is _443._tcp.www.example.com. Suppose the client does not have the service address of www.example.com and wants to access the service via IPv4 or IPv6. Therefore, the query through the two modes is shown in Figure 2.
在模式(1)即递归服务器模式下,客户端首先发送DNS请求,其中包含的查询域名为_443._tcp.www.example.com,表示查询该域名的TLSA资源记录,此外请求消息中包含设置为11的SA标志位,表明此客户端希望查询该域名对应的A和AAAA资源记录。递归服务器接收到之后,拆分该数据包为查询TLSA类型的DNS请求以及查询www.example.com的ANY类型(包含该域名的A与AAAA等多种记录的DNS请求类型)的DNS请求。这两个消息都是通常的DNS请求,所以没有SA标志位。权威服务器则分别对其进行响应,进而由递归服务器发送给客户端。In the mode (1), that is, the recursive server mode, the client first sends a DNS request, where the query domain name is _443._tcp.www.example.com, indicating that the domain name of the TTLS resource record is queried, and the request message includes the setting. The SA flag of 11 indicates that the client wants to query the A and AAAA resource records corresponding to the domain name. After receiving the recursive server, the data packet is split into a DNS request for querying the TCPA type and a DNS request for querying the ANY type of www.example.com (including the DNS request type of multiple records such as A and AAAA of the domain name). Both messages are normal DNS requests, so there is no SA flag. The authoritative server responds to it separately and sends it to the client by the recursive server.
在模式(2)即权威服务器模式下,客户端首先发送DNS请求,其中包含的查询域名为_443._tcp.www.example.com,表示查询该域名的TLSA资源记录,此外请求消息中包含设置为11的SA标志位,表明此客户端希望查询该域名对应的A和AAAA资源记录。递归服务器直接转发该查询数据包权威服务器,权威服务器接收到查询请求后意识到该递归服务器希望获得该域名的TLSA以及对应的地址信息。所以构造一个响应数据包,其中也包含设置为11的SA标志位,进而由递归服务器发送给客户端。In the mode (2), that is, the authoritative server mode, the client first sends a DNS request, where the query domain name is _443._tcp.www.example.com, indicating that the domain name of the TTLS resource record is queried, and the request message includes the setting. The SA flag of 11 indicates that the client wants to query the A and AAAA resource records corresponding to the domain name. The recursive server directly forwards the query data packet authoritative server. After receiving the query request, the authoritative server realizes that the recursive server wants to obtain the KSA of the domain name and the corresponding address information. So construct a response packet, which also contains the SA flag set to 11, which is then sent to the client by the recursive server.
以上实施例仅用以说明本发明的技术方案而非对其进行限制,本领域的普通技术人员可以对本发明的技术方案进行修改或者等同替换,而不脱离本发明的精神和范围,本发明的保护范围应以权利要求所述为准。 The above embodiments are only used to illustrate the technical solutions of the present invention, and the present invention is not limited thereto, and those skilled in the art can modify or replace the technical solutions of the present invention without departing from the spirit and scope of the present invention. The scope of protection shall be as stated in the claims.

Claims (10)

  1. 一种支持携带服务地址信息的DANE扩展查询方法,其特征在于,包括如下步骤:A DANE extended query method for supporting carrying service address information, comprising the following steps:
    1)客户端发送查询TLSA资源记录的DNS请求消息,所述DNS请求消息的头部设有服务地址标志位;1) The client sends a DNS request message for querying the TLSA resource record, where the head of the DNS request message is provided with a service address flag bit;
    2)递归服务器和权威服务器响应客户端发来的DNS请求消息,根据所述服务地址标志位的设置情况填充对应的地址信息,将该地址信息和TLSA资源记录通过响应数据包返回给客户端。2) The recursive server and the authoritative server respond to the DNS request message sent by the client, fill in the corresponding address information according to the setting of the service address flag, and return the address information and the TLSA resource record to the client through the response packet.
  2. 如权利要求1所述的方法,其特征在于:所述服务地址标志位为两比特标志位,其取值为00、01、10和11,其含义分别如下:The method according to claim 1, wherein said service address flag is a two-bit flag, and the values are 00, 01, 10, and 11, and the meanings thereof are as follows:
    00:客户端不请求服务器的任何地址信息;00: The client does not request any address information of the server;
    01:客户端请求在TLSA资源记录返回同时携带服务器的IPv4地址信息,在DNS响应消息中不仅包含服务器的TLSA资源记录,还携带至少一个32比特的IPv4地址;01: The client requests to carry the IPv4 address information of the server while returning the TLSA resource record, and the DNS response message includes not only the server's OTLS resource record but also at least one 32-bit IPv4 address;
    10:客户端请求在TLSA资源记录返回同时携带服务器的IPv6地址信息,在DNS响应消息中不仅包含服务器的TLSA资源记录,还携带至少一个128比特的IPv6地址;10: The client requests to carry the IPv6 address information of the server while returning the TLSA resource record, and the DNS response message includes not only the server's OTLS resource record but also at least one 128-bit IPv6 address;
    11:客户端请求在TLSA资源记录返回同时携带服务器的IPv4和IPv6地址信息,在DNS响应消息中不仅包含服务器的TLSA资源记录,还携带至少一个32比特IPv4地址以及至少一个128比特的IPv6地址。11: The client requests to carry the IPv4 and IPv6 address information of the server while returning the TLSA resource record. The DNS response message includes not only the server's TTLS resource record, but also at least one 32-bit IPv4 address and at least one 128-bit IPv6 address.
  3. 如权利要求1或2所述的方法,其特征在于:所述递归服务器和权威服务器响应客户端的DNS请求消息时,将地址信息放置在TLSARDATA之后,或者在DNS响应数据包的Additional字段中携带上述地址信息。The method according to claim 1 or 2, wherein when the recursive server and the authoritative server respond to the client's DNS request message, the address information is placed after the TLSARDATA, or the above is carried in the Additional field of the DNS response packet. Address information.
  4. 如权利要求3所述的方法,其特征在于:对于所述将地址信息放置在TLSARDATA之后的方式,在DNS响应消息中通过TYPE指示所包含的地址的类型,包括四种类型:仅包含TLSA资源记录;包含TLSA资源记录和A资源记录;包含TLSA资源记录和AAAA资源记录;包含TLSA、A和AAAA资源记录。The method according to claim 3, wherein for the manner in which the address information is placed after the TLSARDATA, the type of the address included by the TYPE is indicated in the DNS response message, and includes four types: only the TLSA resource is included. Record; contains TLSA resource records and A resource records; contains TLSA resource records and AAAA resource records; contains TLSA, A, and AAAA resource records.
  5. 如权利要求4所述的方法,其特征在于:通过传统DNS响应消息中的RDLENGTH指示A与AAAA资源记录的数量;如不能按照请求类型返回相关地址,则应在响应消息中进行错误指示。The method of claim 4, wherein the number of A and AAAA resource records is indicated by RDLENGTH in the conventional DNS response message; if the relevant address cannot be returned according to the request type, an error indication should be made in the response message.
  6. 如权利要求1所述的方法,其特征在于,步骤2)采用递归服务器模式实现:递归服务器接收到客户端的DNS请求消息之后,根据服务地址标志位和待查询的服务域名构造对应的A记录查询请求和/或AAAA记录查询请求,并将新的请求消息发送给对应的权威服务器,递 归服务器从权威服务器接收到TLSA以及A/AAAA记录查询应答后,将其返回给客户端。The method according to claim 1, wherein the step 2) is implemented in a recursive server mode: after receiving the DNS request message of the client, the recursive server constructs a corresponding A record query according to the service address flag and the service domain name to be queried. Request and / or AAAA record query request, and send a new request message to the corresponding authoritative server, hand After the server receives the TLSA and A/AAAA record query response from the authoritative server, it returns it to the client.
  7. 如权利要求6所述的方法,其特征在于,递归服务器将TLSA以及A/AAAA记录查询应答以两种模式返回给客户端:a)构造一个响应消息,其中按照服务地址标志位指示填充对应的地址信息;b)接收到该域名的查询响应就立刻按返回顺序传输给客户端。The method of claim 6 wherein the recursive server returns the TLSA and the A/AAAA record query response to the client in two modes: a) constructing a response message, wherein the corresponding address is populated according to the service address flag bit indication Address information; b) The query response to the domain name is immediately transmitted to the client in the return order.
  8. 如权利要求1所述的方法,其特征在于,步骤2)采用权威服务器模式实现:递归服务器把从客户端接收到的DNS请求消息不修改地发送给对应的权威服务器,权威服务器根据服务地址标志位的设置情况构造响应消息,并发送回递归服务器进而发送给客户端。The method according to claim 1, wherein the step 2) is implemented in an authoritative server mode: the recursive server sends the DNS request message received from the client to the corresponding authoritative server without modification, and the authoritative server according to the service address flag The setting of the bit constructs a response message and sends it back to the recursive server for transmission to the client.
  9. 一种采用权利要求1所述方法的支持携带服务地址信息的DANE扩展查询系统,包括客户端、递归服务器和权威服务器,其特征在于,所述客户端发出的DNS请求消息的头部设有服务地址标志位;递归服务器和权威服务器响应客户端发来的DNS请求消息时,根据所述服务地址标志位的设置情况填充对应的地址信息,将该地址信息和TLSA资源记录通过响应数据包返回给客户端。A DANE extended query system supporting a service carrying address information, comprising a client, a recursive server and an authoritative server, wherein the client sends a DNS request message with a service at the head. Address flag bit; when the recursive server and the authoritative server respond to the DNS request message sent by the client, the corresponding address information is filled according to the setting of the service address flag, and the address information and the TLSA resource record are returned to the response packet. Client.
  10. 如权利要求9所述的系统,其特征在于:所述服务地址标志位为两比特标志位,其取值为00、01、10和11,其含义分别如下:The system according to claim 9, wherein said service address flag is a two-bit flag, and the values are 00, 01, 10, and 11, and the meanings thereof are as follows:
    00:客户端不请求服务器的任何地址信息;00: The client does not request any address information of the server;
    01:客户端请求在TLSA资源记录返回同时携带服务器的IPv4地址信息,在DNS响应消息中不仅包含服务器的TLSA资源记录,还携带至少一个32比特的IPv4地址;01: The client requests to carry the IPv4 address information of the server while returning the TLSA resource record, and the DNS response message includes not only the server's OTLS resource record but also at least one 32-bit IPv4 address;
    10:客户端请求在TLSA资源记录返回同时携带服务器的IPv6地址信息,在DNS响应消息中不仅包含服务器的TLSA资源记录,还携带至少一个128比特的IPv6地址;10: The client requests to carry the IPv6 address information of the server while returning the TLSA resource record, and the DNS response message includes not only the server's OTLS resource record but also at least one 128-bit IPv6 address;
    11:客户端请求在TLSA资源记录返回同时携带服务器的IPv4和IPv6地址信息,在DNS响应消息中不仅包含服务器的TLSA资源记录,还携带至少一个32比特IPv4地址以及至少一个128比特的IPv6地址。 11: The client requests to carry the IPv4 and IPv6 address information of the server while returning the TLSA resource record. The DNS response message includes not only the server's TTLS resource record, but also at least one 32-bit IPv4 address and at least one 128-bit IPv6 address.
PCT/CN2014/095172 2014-11-27 2014-12-26 Dane extended query method and system supporting carrying of service address information WO2016082274A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410705519.XA CN104468859B (en) 2014-11-27 2014-11-27 Support the DANE expanding query method and systems of carrying address of service information
CN201410705519.X 2014-11-27

Publications (1)

Publication Number Publication Date
WO2016082274A1 true WO2016082274A1 (en) 2016-06-02

Family

ID=52914206

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/095172 WO2016082274A1 (en) 2014-11-27 2014-12-26 Dane extended query method and system supporting carrying of service address information

Country Status (2)

Country Link
CN (1) CN104468859B (en)
WO (1) WO2016082274A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110741361A (en) * 2018-11-08 2020-01-31 Oppo广东移动通信有限公司 Resource query processing method and device, computer equipment and storage medium
CN112667309A (en) * 2020-12-22 2021-04-16 互联网域名系统北京市工程研究中心有限公司 DoT supporting method and system on DNS authoritative server

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109257450A (en) * 2017-07-13 2019-01-22 中国移动通信有限公司研究院 Domain name analytic method, the network terminal and domain name analysis system and storage medium
CN110392123B (en) * 2018-04-23 2022-06-14 阿里巴巴集团控股有限公司 Method, device and system for detecting outlet IP address
CN109547583B (en) * 2018-11-22 2022-02-25 中国移动通信集团江苏有限公司 Domain name resource query method, device, equipment and computer storage medium
CN114006724B (en) * 2021-09-18 2023-08-29 中国互联网络信息中心 Method and system for discovering and authenticating encryption DNS resolver

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103491073A (en) * 2013-09-09 2014-01-01 中国科学院计算机网络信息中心 Safety communication method based on TLSA protocol in C/S network architecture
CN103929435A (en) * 2014-05-05 2014-07-16 中国科学院计算机网络信息中心 Credibility verification method based on DNSSEC and DANE protocols
US20140244998A1 (en) * 2010-11-09 2014-08-28 Secure64 Software Corporation Secure publishing of public-key certificates

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078877B (en) * 2013-01-31 2015-09-16 中国科学院计算机网络信息中心 Based on the user authentication of DNS and domain name access control method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140244998A1 (en) * 2010-11-09 2014-08-28 Secure64 Software Corporation Secure publishing of public-key certificates
CN103491073A (en) * 2013-09-09 2014-01-01 中国科学院计算机网络信息中心 Safety communication method based on TLSA protocol in C/S network architecture
CN103929435A (en) * 2014-05-05 2014-07-16 中国科学院计算机网络信息中心 Credibility verification method based on DNSSEC and DANE protocols

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110741361A (en) * 2018-11-08 2020-01-31 Oppo广东移动通信有限公司 Resource query processing method and device, computer equipment and storage medium
CN110741361B (en) * 2018-11-08 2024-02-06 Oppo广东移动通信有限公司 Resource query processing method, device, computer equipment and storage medium
CN112667309A (en) * 2020-12-22 2021-04-16 互联网域名系统北京市工程研究中心有限公司 DoT supporting method and system on DNS authoritative server

Also Published As

Publication number Publication date
CN104468859A (en) 2015-03-25
CN104468859B (en) 2018-01-30

Similar Documents

Publication Publication Date Title
US20200195677A1 (en) Network addresses with encoded dns-level information
Hoffman et al. The DNS-based authentication of named entities (DANE) transport layer security (TLS) protocol: TLSA
Jones JSON web key (JWK)
WO2016082274A1 (en) Dane extended query method and system supporting carrying of service address information
US9705682B2 (en) Extending DNSSEC trust chains to objects outside the DNS
Nikander et al. Host identity protocol (HIP) domain name system (DNS) extensions
Winter et al. Transport layer security (TLS) encryption for RADIUS
Laganier Host Identity Protocol (HIP) Domain Name System (DNS) Extension
Miao et al. Transport layer security (TLS) transport mapping for Syslog
CN109802829A (en) The identity identifying method of information centre network content request user
Korver The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX
CN115580498B (en) Cross-network communication method in converged network and converged network system
KR101326360B1 (en) Method for security communication between dns server and authoritative dns server for thereof and security communication system
Kent An infrastructure supporting secure internet routing
Bakhache et al. Kerberos secured address resolution protocol (karp)
Chuat et al. PILA: Pervasive internet-wide low-latency authentication
Krähenbühl et al. Ubiquitous Secure Communication in a Future Internet Architecture
Chandramouli et al. Open issues in secure DNS deployment
Jones RFC 7517: JSON Web Key (JWK)
Yang et al. Design of mVoIP service based authentication system
Nikander et al. RFC 5205: Host identity protocol (HIP) domain name system (DNS) extensions
ROSTAMPOUR Deploying DNS Security Extensions
Matsumoto et al. Designing a global authentication infrastructure
Pauly et al. RFC 8908: Captive Portal API
Fan et al. A Mutual Authentication Method For Local MAC Address Allocation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14907184

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14907184

Country of ref document: EP

Kind code of ref document: A1