Đồ án DNSSEC Hà Hồng Ngọc v5 2016

HC VIN CNG NGH BU CHNH VIN THNG
KHOA VIN THNG I

-------***-------
N
TT NGHIP I HC
TI
NGHIN CU AN TON M RNG CHO H

THNG TN MIN (DNSSEC)
Ngi hng dn : ThS. NGUYN TRN TUN

Sinh vin thc hin : H HNG NGC
Lp : L14VT
Kha : 2014 - 2016
H : LIN THNG CHNH QUY
H NI - 2016
HC VIN CNG NGH BU CHNH VIN THNG
KHOA VIN THNG I
-------***-------
N
TT NGHIP I HC
TI
NGHIN CU AN TON M RNG CHO H

THNG TN MIN (DNSSEC)
Ngi hng dn : ThS. NGUYN TRN TUN

Sinh vin thc hin : H HNG NGC
Lp : L14VT
Kha : 2014 - 2016
H : LIN THNG CHNH QUY
H NI 2016
LI CM N
hon thnh n ny em xin gi li cm n chn thnh ti thy THS Nguyn

Trn Tun, thy lun tn tnh hng dn, ch bo em trong sut qu trnh thc hin
n ny.
Em cng xin chn thnh cm n ti qu thy, c Hc vin Cng ngh Bu chnh
Vin thng, c bit l cc thy, c trong khoa in T Vin Thng I nhit tnh
gip , truyn t kin thc trong sut qu trnh hc tp ca em ti Hc vin. Vn
kin thc c tip thu trong qu trnh hc tp khng ch l nn tng cho qu trnh
thc hin n tt nghip m cn l hnh trang qu bu cho s nghip ca em sau
ny.
Em cng xin cm n s ng h v gip nhit tnh ca gia nh, bn b, nhng
ngi thn ng vin, gip em trong sut qu trnh hc tp v thc hin n
tt nghip ny.
Mc d c gng ht sc, song chc chn n khng trnh khi nhng thiu
st. Em rt mong nhn c s thng cm v ch bo tn tnh ca qu thy c v cc
bn em c th hon thnh tt hn n tt nghip ny.
Cui cng em xin knh chc qu Thy, C, gia nh v bn b di do sc khe
v thnh cng trong s nghip.
H Ni, ngy 15 thng 12 nm 2016
H Hng Ngc
BN GIAO TI
NHN XT CA NGI HNG DN
.................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
im:........................................................................................................................
Bng ch:.................................................................................................................
Ngy.......thng......nm.........
NHN XT CA NGI PHN BIN
.................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
im:........................................................................................................................
Bng ch:.................................................................................................................
Ngy.......thng......nm........
MC LC
THUT NG VIT TT..............................................................................................i
DANH MC BNG BIU..........................................................................................ii
DANH MC HNH V..............................................................................................iii
M U....................................................................................................................... 1
CHNG 1: GII THIU CHUNG V DNSSEC..................................................2
1.1. H thng tn min (DNS Domain name system).....................................2
1.1.1. nh ngha tn min......................................................................................2
1.1.2. Cc thnh phn chnh ca DNS...................................................................2
1.2. Tng quan v DNSSEC................................................................................5
1.2.1. DNSSEC l g?...............................................................................................5
1.2.2. Gii thiu v DNSSEC...................................................................................6
1.3. Tnh hnh trin khai v tiu chun ha trn th gii v ti Vit Nam......7
1.3.1. Tnh hnh trin khai DNSSEC trn th gii....................................................7
1.3.2. Tnh hnh tiu chun ha DNSSEC trn th gii..........................................10
1.3.2.1. T chc tiu chun IETF..............................................................................10
1.3.2.2. Quyt nh trin khai v p dng cc tiu chun ICT ca y ban Chu u
(EC) 11
1.4. Tnh hnh trin khai v tiu chun ha DNSSEC ti Vit Nam..............12
1.4.1. Tnh hnh trin khai DNSSEC ti Vit Nam.................................................12
1.4.2. L trnh trin khai DNSSEC ti Vit Nam....................................................14
1.4.3. Tnh hnh tiu chun ha DNSSEC ti Vit Nam.........................................15
1.5. Kt lun.......................................................................................................16
CHNG II: NGHIN CU V DNSSEC............................................................17
2.1. M hnh trin khai DNSSEC.....................................................................17
2.2. Cc bn ghi ti nguyn DNSSEC...............................................................18
2.2.1. Cc bn ghi DNSKEY trong mt Zone.........................................................18
2.2.2. Cc bn ghi RRSIG trong mt Zone.............................................................19
2.2.3. Bn ghi k chuyn giao (DS) trong mt Zone..............................................20
2.2.4. Cc bn ghi NSEC trong mt Zone..............................................................20
2.2.5. Bn ghi NSEC3............................................................................................21
2.3. Cc phn m rng trong DNSSEC............................................................23
2.3.1. Cc my ch tn min c thm quyn..........................................................24
2.3.2. My ch tn min quy (Recursive Name Server)....................................32
2.3.3. B phn gii..................................................................................................33
2.3.4. H tr xc thc DNS....................................................................................38
2.3.4.1. Qu trnh xc nhn tnh hp l trong DNSSEC............................................39
2.3.4.2. C ch xc thc t chi s tn ti trong DNSSEC.......................................41
2.4. Kt lun.......................................................................................................47
CHNG 3: NG DNG DNSSEC TRONG M BO AN TON H
THNG TN MIN (DNS)......................................................................................49
3.1. Cc phng thc tn cng mng ph bin...............................................49
3.1.1. DNS spoofing (DNS cache poisoning).........................................................49
3.1.2. Tn cng khuch i d liu DNS (Amplification attack)............................50
3.1.3. Gi mo my ch DNS (Main in the middle)...............................................50
3.2. Kch bn tn cng DNS..............................................................................51
3.3. Gii php DNSSEC i vi kch bn tn cng DNS................................69
3.4. Kt lun.......................................................................................................75
KT LUN................................................................................................................76
TI LIU THAM KHO...........................................................................................77
n tt nghip i hc Thut ng vit tt
THUT NG VIT TT
A
AD Authentic Data D liu chng thc
AXFR Full Zone Transfer/ ng b ton phn
Authoritative Transfer
C
CD Checking Disabled Kim tra v hiu ha
CNAME Canonical Name Tn min chnh tc
D
DNAME Delegation Name Tn min chuyn giao
DNS Domain Name System H thng tn min
DNSKEY DNS Public KEY Kha cng khai DNS
DNSSEC DNS Security Extensions Phn m rng bo mt DNS
DO DNSSEC OK
DS Delegation Signer K chuyn giao
E
EDNS Extension Mechanisms for Cc c ch m rng cho DNS
DNS
I
IANA Internet Assigned Numbers T chc cp pht s hiu Internet
Authority
IXFR Incremental Zone Transfer ng b mt phn
N
NS Name Server My ch tn min
NSEC Next Secure Bo mt k tip
O
OPT Option Ty chn
R
RR Resource Record Bn ghi ti nguyn
RRSIG Resource Record Signature Ch k bn ghi ti nguyn
S
SOA Start of (a zone of) Authority (Bn ghi ti nguyn) xut pht
H Hng Ngc L14VT i

n tt nghip i hc Thut ng vit tt
(ca mt zone) c thm quyn

T
TC Truncated B ct
TTL Time to Live Thi gian tn ti
H Hng Ngc L14VT ii

n tt nghip i hc Danh mc bng biu
DANH MC BNG BIU
Bng 1.1 Mt s TCVN v ang trong qu trnh xy dng.................................. 15
H Hng Ngc L14VT ii

n tt nghip i hc Danh mc hnh v
DANH MC HNH V
Hnh 1.1 V d cu trc DNS...................................................................................... 2

Hnh 1.2 Domain Name System................................................................................. 4
Hnh 1.3 M hnh trin khai DNSSEC........................................................................ 7
Hnh 1.4 C ch hot ng ca DNSSEC................................................................... 8
Hnh 1.5 Qu trnh trin khai DNSSEC trn th gii.................................................. 9
Hnh 1.6 Bn cc nc trn th gii trin khai v th nghim DNSSEC.............10
Hnh 2.1. M hnh trin khai DNSSEC........................................................................ 17
Hnh 2.2 Ch k s cho cc bn ghi ti nguyn........................................................ 38
Hnh 3.1 S tn cng DNS cache poisoning........................................................ 49
Hnh 3.2 S tn cng khuch i d liu DNS..................................................... 50
Hnh 3.3 S tn cng gi mo my ch DNS....................................................... 51
H Hng Ngc L14VT iii

n tt nghip i hc M u
M U
H thng my ch tn min DNS (Domain Name System) ng vai tr dn
ng trn Internet, c coi l mt h tng li trng yu ca h thng Internet ton
cu. Do tnh cht quan trng ca h thng DNS, c nhiu cuc tn cng, khai thc
l hng ca h thng ny vi quy m ln v tinh vi vi mc ch lm t lit h thng
ny hoc chuyn hng mt tn min no n mt a ch IP khc.
Trc tnh hnh pht trin Internet, thng mi in t, chnh ph in t mnh
m nh hin nay v an ninh mng c nhiu bin ng phc tp, tim n nhiu nguy c
v an ton, an ninh v l trnh, xu th trin khai DNSSEC trn th gii th vic trin
khai DNSSEC cho h thng my ch tn min (DNS) .VN ti Vit Nam l rt cn
thit. V vy, VNNIC xy dng v trnh B trng B TT&TT ban hnh n
Trin khai tiu chun DNSSEC cho h thng my ch tn min (DNS) .VN. Theo
, tiu chun DNSSEC c trin khai p dng thng nht trn h thng DNS quc
gia .VN, h thng DNS ca cc doanh nghip cung cp dch v Internet (ISP), cc
nh ng k tn min .VN, cc n v cung cp dch v DNS Hosting v h thng
DNS ca cc c quan ng, Nh nc.
DNSSEC l phn bo mt m rng trong DNS, c ng dng h tr cho
DNS bo v chng li cc nguy c gi mo lm sai lch ngun gc d liu, DNSSEC
cung cp mt c ch xc thc gia cc my ch DNS vi nhau thit lp vic xc
thc ton vn d liu. Nhn thy s cn thit cng vi nim yu thch nn em
la chn nghin cu ti: Nghin cu an ton m rng cho h thng tn min
(DNSSEC) bao gm 3 ni dung chnh:
- Chng 1: Gii thiu chung v DNSSEC.
- Chng 2: Nghin cu v DNSSEC.
- Chng 3: ng dng DNSSEC trong m bo an ton h thng tn min
(DNS).
Tuy nhin, do thi gian c hn v s hiu bit ca em cn nhiu hn ch, nn
khng th trnh c nhng sai st. Em rt mong s nhn c s ch bo ca cc
thy c v cc bn em c th hon thin tt hn ti ca mnh.
H Ni, ngy 15 thng 12 nm 2016
H Hng Ngc
H Hng Ngc L14VT 1

n tt nghip i hc Chng 1: Gii thiu chung v DNSSEC
CHNG 1: GII THIU CHUNG V DNSSEC

1.1. H thng tn min (DNS Domain name system)
1.1.1. nh ngha tn min
H thng tn min bao gm mt lot cc c s d liu cha a ch IP v cc tn
min tng ng ca n. Mi tn min tng ng vi mt a ch bng s c th. H
thng tn min trn mng Internet c nhim v chuyn i tn min sang a ch IP v
ngc li t a ch IP sang tn min.
DNS (Domain Name System) l mt h c s d liu phn tn dng nh x
gia cc tn min v cc a ch IP. DNS a ra mt phng thc c bit duy tr v
lin kt cc nh x ny trong mt th thng nht.
Trong phm vi ln hn, cc my tnh kt ni vi Internet s dng DNS to a
ch lin kt dng URL (Universal Resource Locators). Theo phng thc ny, mi
my tnh s khng cn s dng a ch IP cho kt ni m ch cn s dng tn min
(domain name) truy vn n kt ni .
1.1.2. Cc thnh phn chnh ca DNS
Theo , khi my ch DNS nhn c yu cu phn gii a ch t Resolver, n
s tra cu b m (cache) v tr v a ch IP tng ng vi tn min m Resolver yu
cu. Tuy nhin, nu khng tm thy trong b m, my ch DNS s chuyn yu cu
phn gii ti mt my ch DNS khc.
Hnh 1.1 V d cu trc DNS
H Hng Ngc L14VT 2

Cu trc ca DNS l c s d liu dng cy th mc, bao gm t Top Level

Domain (TLDs), Second Level Domain (SLDs), Sub Domain (Host) (Hnh 1.1).
DNS c 3 zone chnh: Primary zone, Secondary zone v Stub zone. D liu ca
cc zone c lu trong mt file gi l zone file. Trong zone file cha d liu DNS,
c th hin qua cc record nh SOA, A, CNAME, MX, NS, SRV.
Hnh trn cc tn min iTLD v usTLD thc cht thuc nhm gTLD (vic phn
tch ra ch c ngha lch s). Tn min cp cao dng chung hin nay c t
chc quc t ICANN (Internet Coroperation for Assigned Names and Numbers) qun
l.
Danh sch tn min cp cao (TLD), bao gm cc tn min cp cao dng chung
(gTLD) v tn min cp cao quc gia (ccTLD) tham kho ti:
http://www.iana.org/domains/root/db
Cu trc h thng tn min quc gia .VN:
Ti Vit Nam, tn min cp quc gia c ICANN phn b l ".VN" v nm
trong nhm tn min cp cao quc gia ccTLD. Cu trc tn min quc gia Vit Nam
".VN" c quy nh trong Thng t s 09/2008/TT-BTTTT ngy 24/12/2008 ca B
Thng tin v Truyn thng :
1. Tn min .VN l tn min quc gia cp cao nht dnh cho Vit Nam. Cc
tn min cp di .VN u c gi tr s dng nh nhau nh danh a ch Internet
cho cc my ch ng k ti Vit Nam.
2. Tn min cp 2 l tn min di .VN bao gm tn min cp 2 khng phn
theo lnh vc v tn min cp 2 dng chung (gTLD) phn theo lnh vc nh sau:
- COM.VN: Dnh cho t chc, c nhn hot ng thng mi.
- BIZ.VN: Dnh cho cc t chc, c nhn hot ng kinh doanh, tng ng
vi tn min COM.VN.
- EDU.VN: Dnh cho cc t chc, c nhn hot ng trong lnh vc gio dc,
o to.
- GOV.VN: Dnh cho cc c quan, t chc nh nc trung ng v a
phng.
- NET.VN: Dnh cho cc t chc, c nhn hot ng trong lnh vc thit lp v
cung cp cc dch v trn mng.
- ORG.VN: Dnh cho cc t chc hot ng trong lnh vc chnh tr, vn ho, x
hi.
- INT.VN: Dnh cho cc t chc quc t ti Vit Nam.
- AC.VN: Dnh cho cc t chc, c nhn hot ng trong lnh vc nghin cu.
- PRO.VN: Dnh cho cc t chc, c nhn hot ng trong nhng lnh vc c
tnh chuyn ngnh cao.
H Hng Ngc L14VT 3

- INFO.VN: Dnh cho cc t chc, c nhn hot ng trong lnh vc sn xut,

phn phi, cung cp thng tin.
- HEALTH.VN: Dnh cho cc t chc, c nhn hot ng trong lnh vc dc, y
t.
- NAME.VN: Dnh cho tn ring ca c nhn tham gia hot ng Internet.
- Nhng tn min khc do B Thng tin v Truyn thng quy nh.
3. Cc tn min cp 2 theo a gii hnh chnh l tn min Internet c t theo
tn cc tnh, thnh ph trc thuc trung ng. Tn min cp 2 theo a gii hnh chnh
c vit theo ting Vit hoc ting Vit khng du.
4. Tn min ting Vit
- Tn min ting Vit nm trong h thng tn min quc gia Vit Nam .VN
trong cc k t to nn tn min l cc k t c quy nh trong bng m ting
Vit theo tiu chun TCVN 6909:2001 v cc k t nm trong bng m m rng ca
ting Vit theo tiu chun ni trn.
- Tn min ting Vit gm c tn min cp 2 v tn min cp 3 di tn min cp
2 theo a gii hnh chnh vit theo ting Vit. Tn min phi r ngha trong ngn ng
ting Vit, khng vit tt ton b tn min.
H thng tn min c sp xp theo cu trc phn cp. Mc trn cng c gi
l ROOT v k hiu l ., T chc qun l h thng tn min trn th gii l The
Internet Coroperation for Assigned Names and Numbers (ICANN). T chc ny qun
l mc cao nht ca h thng tn min (mc ROOT) do n c quyn cp pht cc
tn min di mc cao nht ny.
hiu r hn v hot ng ca DNS, xt v d v tham kho hnh v di y:
Hnh 1.2 Domain Name System

Gi s PC A mun truy cp n trang web http://www.yahoo.com v my
ch.vnn cha lu thng tin v trang web ny, cc bc truy vn s din ra nh sau:
H Hng Ngc L14VT 4

- u tin PC A gi mt yu cu ti my ch qun l tn min vnn hi thng tin

v http://www.yahoo.com
- My ch qun l tn min .vnn gi mt truy vn n my ch top level domain.
Top level domain lu tr thng tin v mi tn min trn mng. Do n s gi
li cho my ch qun l tn min vnn a ch IP ca my ch qun l min com
(gi tt l my ch.com).
Khi c a ch IP ca my ch qun l tn min .com th lp tc my ch.vnn
hi my ch.com thng tin v yahoo.com. My ch com qun l ton b nhng
trang web c domain l .com, chng gi thng tin v a ch IP ca my ch
yahoo.com cho my ch vnn.
Lc ny,my ch.vnn c a ch IP ca yahoo.com. Nhng PC A yu cu
dch v www ch khng phi l dch v ftp hay mt dch v no khc. Do
my ch.vnn tip tc truy vn ti my ch yahoo.com yu cu thng tin v
my ch qun l dch v www ca yahoo.com.
Khi nhn c truy vn th my ch yahoo.com gi li cho my ch.vnn a ch
IP ca my ch qun l http://www.yahoo.com/.
Cui cng,my ch.vnn gi li a ch IP ca my ch qun l
http://www.yahoo.com. cho PC A v PC A kt ni trc tip n n. V by gi
th my ch vnn c thng tin v http://www.yahoo.com cho nhng ln truy
vn n sau ca cc client khc.
Tuy nhin, vn l Recursive Domain Name System (DNS) tn ti l hng c
th b tn cng khin h thng qu ti, theo bo co ca CERT Coordination
Center ti Carnegie Mellon University (CERT/CC). Phn gii DNS, x l truy vn
DNS vi s tr gip ca my ch c thm quyn. Nu my ch ny khng th x l
yu cu, n s chuyn sang my ch khc c th thc hin nhim v. Vn l mt
my ch c hi c th khin vic phn gii tn min theo mt chui v hn cc my
ch, dn n vic dch v b qu ti (denial-of-service DoS). Vic phn gii DNS
theo mt qu trnh v hn dn n vic gia tng b nh, CPU v khi qu ti s dng
ton b tin trnh. Nhng nh hng c th t tng thi gian my ch p ng vi
khch hng n dch v hon ton gin on.
1.2. Tng quan v DNSSEC
1.2.1. DNSSEC l g?
DNSSEC (Security Extensions Domain Name System) l cng ngh an ton m
rng cho h thng DNS (Domain Name System). Trong , DNSSEC s cung cp mt
c ch xc thc gia cc my ch DNS vi nhau v xc thc cho tng vng d liu
m bo ton vn d liu.
H Hng Ngc L14VT 5

1.2.2. Gii thiu v DNSSEC

Trc nguy c d liu DNS b gi mo v b lm sai lch trong cc tng tc
gia my ch DNS vi cc resolver hoc my ch forwarder. Trong khi giao thc DNS
thng thng khng c cng c xc thc ngun gc d liu, th cng ngh bo mt
mi DNSSEC (DNS Security Extensions) c nghin cu, trin khai p dng
h tr cho DNS bo v chng li cc nguy c gi mo lm sai lch ngun gc d liu.
Mc tiu l DNSSEC s cung cp mt c ch xc thc gia cc my ch DNS vi
nhau thit lp vic xc thc ton vn d liu v chng tn cng t chi tn ti.
DNSSEC c cp trong cc tiu chun RFC: 4033, 4034, 4035.
DNSSEC c 3 chc nng/nhim v chnh:
- Sender Authentication: Chng thc d liu cho qu trnh gi i.
- Data Integrity: Bo v ton vn d liu trong qu trnh truyn, gip ngi
nhn c m bo d liu khng b thay i.
- Authenticated denial of existence: Ngn chn k tn cng ph hoi bng cch
cho php mt Resolver xc nhn hp l mt tn min c th no khng tn ti m
Client truy vn.
thc hin cc nhim v trn, ngoi 4 phn t chnh trong h thng DNS
(Delegation, Zone file management, Zone file distribution, Resolving), DNSSEC s c
thm mt s phn t nh Zone File Signing, Verifying, Trust Anchor, Key rollover,
DNS Aware, Key Master. Nh , DNSSEC a ra 5 loi bn ghi mi:
- Bn ghi kha DNS (DNSKEY - DNS Key): S dng chng thc zone d
liu.
- Bn ghi ch k ti nguyn (RRSIG - Resource Record Signature): S dng
chng thc cho cc bn ghi ti nguyn trong zone d liu.
- Bn ghi k chuyn giao (DS - Delegation Signer): Thit lp chng thc gia
cc zone d liu, s dng trong vic k xc thc trong qu trnh chuyn giao DNS.
- Bn ghi bo mt k tip (NSEC): S dng trong qu trnh xc thc i vi cc
bn ghi c cng s hu tp cc bn ghi ti nguyn hoc bn ghi CNAME. Kt hp vi
bn ghi RRSIG xc thc cho zone d liu.
- Bn ghi bo mt k tip phin bn 3 (NSEC3): V c bn, bn ghi NSEC3 c
chc nng tng t nh bn ghi NSEC trong vic xc thc t chi s tn ti d liu
trong zone. Tuy nhin, trong qu trnh s dng NSEC thc t, d liu DNS vn c kh
nng b khai thc bi k thut tn cng zone walking, qua cho php k tn cng
lit k, thm d ly tt c cc thng tin DNS. Do , NSEC3 ra i s dng m ha
hm bm nhm tng tnh bo mt DNS hn so vi bn ghi NSEC.
Mc tiu t ra l DNSSEC khng lm thay i tin trnh truyn d liu DNS
v qu trnh chuyn giao t cc DNS cp cao xung cc DNS cp thp hn, mt khc
i vi cc Resolver cn p ng kh nng h tr cc c ch m rng ny. Mt zone
H Hng Ngc L14VT 6

d liu c k xc thc s cha ng mt trong cc bn ghi RRSIG, DNSKEY,

NSEC v DS.
Nh vy bng cch t chc thm nhng bn ghi mi v nhng giao thc c
chnh sa nhm chng thc ngun gc v tnh ton vn d liu cho h thng, vi
DNSSEC, h thng DNS c m rng thm cc tnh nng bo mt v c tng
cng an ton, tin cy, khc phc c nhng nhc im ca thit k s khai ban
u. Va p ng c cc yu cu thng tin nh tuyn v tn min, giao thc lm
vic gia cc my ch DNS vi nhau, va p ng c cc yu cu bo mt, tng
cng kh nng d phng cho h thng.
DNSSEC cung cp mt c ch xc thc gia cc my ch DNS vi nhau (chain
of trust) theo cu trc hnh cy ca h thng DNS, bt u t my ch ROOT DNS.
Hnh 1.3 M hnh trin khai DNSSEC

Vic xy dng c chui tin cy trong DNSSEC l bt buc, l c s m bo
xc thc ngun gc v ton vn d liu trong DNSSEC. Chui tin cy c thc hin
tng bc, bt u t h thng my ch tn min gc (DNS ROOT) n cc my ch
TLD, cho ti cc h thng DNS cp di. Sau khi c trin khai y , vic hacker
tn cng h thng DNS, chuyn hng tn min s b pht hin v ngn chn.
T vic truy cp vo cc dch v trn tn min c m bo an ton, xc
thc, cc nguy c trnh by trn c gii quyt.
1.3. Tnh hnh trin khai v tiu chun ha trn th gii v ti Vit Nam
1.3.1. Tnh hnh trin khai DNSSEC trn th gii
H thng my ch tn min DNS (Domain Name System) ng vai tr dn
ng trn Internet, c coi l mt h tng li trng yu ca h thng Internet ton
cu. Do tnh cht quan trng ca h thng DNS, c nhiu cuc tn cng, khai thc
H Hng Ngc L14VT 7

l hng ca h thng ny vi quy m ln v tinh vi vi mc ch lm t lit h thng

ny hoc chuyn hng mt tn min no n mt a ch IP khc.
Trn th gii t nhiu nm c nhiu cuc tn cng lm thay i d liu tn
min, chuyn hng website c thc hin, gy hu qu nghim trng, in hnh nh
cc cuc tn cng vo tn min .pr (2009), h thng DNS Tunisia (2010), h thng
ca cng ty cung cp chng th s Diginotar ca H Lan (2011), h thng DNS ti
Malaysia (thng 7/2013)... Cc cuc tn cng ny gy ra cc hu qu nghim trng
nh nhiu cng ty b ph sn, b thay i ni dung trn website, nh hng ti ngi
dng dch v...
Hnh 1.4 C ch hot ng ca DNSSEC

gii quyt cc nguy c trn, ngay t nm 1990, cc gii php khc phc
c nghin cu. Nm 1995, gii php Tiu chun An ton bo mt m rng h thng
my ch DNS (DNSSEC) c cng b, nm 2001 c xy dng thnh cc tiu
chun RFC d tho v cui cng c IETF chnh thc cng b thnh tiu chun RFC
vo nm 2005.
DNSSEC da trn nn tng m ho kho cng khai (PKI), thc hin k s trn
cc bn ghi DNS m bo tnh xc thc, ton vn ca cp nh x tn min - a ch
IP, tt c cc thay i bn ghi DNS c k s s c pht hin. K t khi c
chun ho nm 2005, DNSSEC nhanh chng c trin khai rng ri trn mng
Internet.
H Hng Ngc L14VT 8

Hnh 1.5 Qu trnh trin khai DNSSEC trn th gii

Trin khai DNSSEC trn h thng my ch tn min gc (DNS ROOT) l mt
iu kin quan trng, tin quyt trong vic trin khai DNSSEC trn cc tn min cp
cao dng chung (gTLD), cc tn min m quc gia (ccTLD). Trn c s , cc h
thng DNS quc gia mi trin khai DNSSEC mt cch y , ton din trn h thng
ca mnh. Ngy 15/10/2010, ICANN chnh thc trin khai DNSSEC trn h thng
DNS ROOT.
Sau khi ICANN chnh thc trin khai DNSSEC trn h thng DNS ROOT, cc
TLDs (bao gm gTLD, ccTLD) tng bc trin khai chnh thc DNSSEC trn h
thng DNS ca mnh. Tnh n ht thng 26/9/2016, hin c 1496 TLDs trn h
thng DNS ROOT, 1348 TLD trong s c k, 1336 TLD cp nht ha
cng khai (DS Record) ln h thng my ch DNS ROOT.
Theo thng k ca t chc ICANN, vic pht trin v vn hnh DNSSEC trn th
gii tnh n 20/6/2016 c 76 nc trin khai v p dng cho h thng my ch tn
min quc gia, gm:
- 30 quc gia thuc khu vc Chu u.
- 23 quc gia thuc khu vc Chu Thi Bnh Dng (trong c Vit Nam).
- 11 quc gia thuc khu vc M Latinh.
- 9 quc gia thuc khu vc Chu Phi.
- 3 quc gia thuc khu vc Bc M.
H Hng Ngc L14VT 9

Hnh 1.6 Bn cc nc trn th gii trin khai v th nghim DNSSEC
Ngoi cc nc vn hnh DNSSEC trong h thng my ch tn min quc

gia, c 4 nc ang trong qu trnh th nghim, 7 nc ang pht trin cng khai, 6
nc trin khai zone c k nhng cha a vo vn hnh v 40 nc ban
hnh DS trong root.
1.3.2. Tnh hnh tiu chun ha DNSSEC trn th gii
1.3.2.1. T chc tiu chun IETF
H thng cc tiu chun ban hnh hin nay trn th gii v vn bo mt trong
DNS (DNSSEC) ch yu do Nhm chuyn trch k thut Internet - Internet
Engineering Task Force (IETF) xy dng v ban hnh.
Sau khi cng b phin bn DNSSEC u tin (RFC 2065) vo nm 1997 n
nay, IETF cng b v b sung nhiu tiu chun v vn bo mt DNSSEC.
Theo khuyn ngh ca t chc cp s v tn min Internet quc t (ICANN), cc
nc trin khai giao thc DNSSEC v xy dng tiu chun nn p dng v tun th
theo cc tiu chun ca IETF nh di y:
B tiu chun li v DNSSEC (cng b nm 2005, bt buc p dng):
- RFC 4033: DNS Security Introduction and Requirements pht hnh nm
2005 v Gii thiu v yu cu an ton cho DNS.
- RFC 4034: Resource Records for the DNS Security Extensions pht hnh
nm 2005 v Cc bn ghi ti nguyn cho DNSSEC.
H Hng Ngc L14VT 10

- RFC 4035: Protocol Modifications for the DNS Security Extensions pht
hnh nm 2005 v Sa i giao thc cho DNSSEC.
- Nhm cc tiu chun DNSSEC lin quan:
- RFC 4470: Minimally Covering NSEC Records and DNSSEC On-line
Signing pht hnh nm 2006 v Cc bn ghi an ton tip theo bao ph ti thiu v k
trc tuyn DNSSEC.
- RFC 4641: DNSSEC Operational Practices.
- RFC 5155: DNS Security (DNSSEC) Hashed Authenticated Denial of
Existence.
- RFC 6014: Cryptographic Algorithm Identifier Allocation for DNSSEC pht
hnh nm 2010 v nh dng cc thut ton m ha dng cho DNSSEC DNSSEC.
- RFC 6840: Clarifications and Implementation Notes for DNS Security
(DNSSEC) pht hnh nm 2013 v Ghi ch lm r v thc hin cho DNSSEC.
Ngoi ra trung tm d liu, phng my trin khai h thng qun l kho, k s
d liu tn min DNSSEC cng cn c bo v an ton vt l theo tiu chun mc
cao.
1.3.2.2. Quyt nh trin khai v p dng cc tiu chun ICT ca y ban Chu u
Ngy 3/8/2014, y ban Chu u ban hnh quyt nh trong vic trin khai v p
dng cc tiu chun k thut ICT ti Chu u Commission Implementing Decision of
3 April 2014 on the identification of ICT Technical specifications eligible for
referencing in public procurement (2014/188/EU) OJ L 102/18, 5.4.2014. Cc tiu
chun c xut v khuyn ngh p dng c phn thnh 6 nhm chnh gm:
- Internet Protocol version 6 (IPv6).
- Lightweight Directory Access Protocol version 3 (LDAPv3).
- Domain Name System Security Extensions (DNSSEC).
- Domain Keys Identified Mail Signatures (DKIM).
- ECMAScript-402 Internationalisation Specification (ECMA-402).
- Extensible Markup Language version 1.0 (W3C XML).
Trong , nhm cc tiu chun v IPv6, LDAPv3, DNSSEC v DKIM tun th
theo cc tiu chun do IETF xy dng v ban hnh. i vi nhm tiu chun k thut
DNSSEC, mt bn bo co nh gi la chn tiu chun ph hp i km
Identification of ICT Technical Specifications - Domain Name System Security
Extensions (DNSSEC) from Internet Engineering Task Force (IETF) - Evaluation
report vi cc thnh vin tham gia nh gi bao gm: EC, IETF, DIGITALEUROPE,
H Hng Ngc L14VT 11

ECIS, IEEE v i din tiu chun quc gia mt s nc nh c, H Lan, Thy S

v Anh.
Qua nh gi, nhm la chn mt b tiu chun giao thc DNSSEC ph hp
khuyn ngh v p dng cho cc nc Chu u, gm:
- RFC4033: DNS Security Introduction and Requirements
- RFC4034: Resource Records for DNS Security Extensions
- RFC4035: Protocol Modifications for the DNS Security Extensions
- RFC 4470: Minimally Covering NSEC Records and DNSSEC On-line Signing
- RFC 4509: Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource
Records (RRs)
- RFC 5155: DNSSEC Hashed Authenticated Denial of Existence
- RFC 5702: Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG
Resource Records for DNSSEC.
- RFC6605: Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC.
1.4. Tnh hnh trin khai v tiu chun ha DNSSEC ti Vit Nam
1.4.1. Tnh hnh trin khai DNSSEC ti Vit Nam
Cp C quan qun l Nh nc: B Thng tin v Truyn thng
Trc tnh hnh pht trin mnh m ca Internet, thng mi in t, Chnh ph
in t nh hin nay v an ninh mng c nhiu bin ng phc tp, tim n nhiu
nguy c v an ton, an ninh cng vi l trnh, xu th trin khai DNSSEC trn th gii
th vic p dng tiu chun an ton bo mt DNSSEC cho h thng my ch tn min
quc gia .VN l rt cn thit.
Trn thc t, t khong nm 2001 Vit Nam bt u tm hiu v DNSSEC v
nghin cu, th nghim tiu chun an ton bo mt ny t nm 2008. B Thng Tin v
Truyn Thng ban hnh thng t s 22/2013/TT-BTTTT v Danh mc tiu chun
k thut v ng dng cng ngh thng tin trong c qua nh nc ngy 23/12/2013
quy nh v danh mc cc tiu chun bt buc p dng hoc khuyn ngh p dng cho
h thng thng tin ca cc c quan nh nc bo m kt ni thng sut, ng b
v kh nng chia s, trao i thng tin an ton, thun tin gia cc c quan nh nc
v gia c quan nh nc vi t chc, c nhn. C th, ti mc 4.6 quy nh p dng
i vi cc tiu chun v DNSSEC l Khuyn ngh p dng.
n trin khai tiu chun DNSSEC cho h thng my ch tn min .VN
c B trng B Thng Tin v Truyn Thng k ph duyt theo Quyt nh s
1524/Q-BTTTT vo ngy 23/10/2014. Vic p dng thng nht tiu chun
DNSSEC i vi cc h thng DNS .VN ti Vit Nam gip m bo chnh xc v
H Hng Ngc L14VT 12

tin cy trong vic s dng, truy vn tn min .VN trn Internet. y l c s tt yu

cho vic pht trin h tng Internet ti Vit Nam bn vng, an ton nhm xy dng k
cu h tng ng b, a nc ta tr thnh nc cng nghip theo hng hin i
trong thi gian ti.
K hoch trin khai trn h thng DNS quc gia
Cung cp h thng th nghim: h tr cc ISP, cc nh ng k c th kt ni
th nghim. VNNIC xy dng h thng th nghim gi lp h thng DNS quc gia,
h thng ng k tn min, sn sng cho cc ISP, cc nh ng k kt ni th nghim
vo u Qu 2 nm 2015.
Trin khai chnh thc trn h thng DNS quc gia: Trong nm 2015, VNNIC
tin hnh cc cng vic cn thit chnh thc trin khai DNSSEC trn h thng DNS
quc gia vo nm 2016 theo ng l trnh thc hin.
Truyn thng, o to pht trin ngun lc sn sng trin khai
DNSSSEC
Truyn thng: VNNIC thit lp website cung cp thng tin trin khai DNSSEC
ti: http://dnssec.vn. Ngoi ra, trong thng 3/2015, VNNIC t chc hi tho bn trn
cc CIO/CTO/CSO v cn b k thut ca ISP, nh ng k tn min .VN,
tho lun v phi hp, trin khai DNSSEC.
o to: h tr cc ISP, nh ng k tn min .VN, c cc kin thc cn
thit trin khai DNSSEC, VNNIC t chc cc kha hc v DNSSEC:
- Kha o to c bn ln th nht: Cung cp cc kin thc c bn v
DNNSEC, trin khai DNSSEC trn h thng DNS ca ISP, nh ng k, Kha o
to ny t chc t ngy 24/6 25/6/2015, ti TP.H Ch Minh, do cc cn b k thut
ca VNNIC o to. y l kha hc dnh cho cn b qun l k thut, cn b k
thut ca cc doanh nghip ISP, cc Nh ng k tn min quc gia .vn khu vc pha
Nam nhm xy dng v chun b ngun nhn lc phc v cho vic xy dng k hoch,
trin khai DNSSEC ti n v.
- Kha o to c bn ln th hai: V tiu chun an ton bo mt m rng h
thng my ch DNS - DNSSEC c bn nm trong chui hot ng trin khai nhm
thc y, h tr cc n v, t chc trong vic chun b, trin khai DNSSEC ti Vit
Nam. Thi gian t 1 2/7/2015, ti H Ni vi hc vin l nhng cn b qun l k
thut, cn b k thut ca cc ISP, cc nh ng k tn min quc gia .VN khu vc
pha Bc nh: Viettel, VDC, FPT Telecom, CMC Telecom, NetNam, FTI, Hi-tek
Multimedia c trang b kin thc c bn v DNSSEC cng nh cch thc trin
khai v ci t DNSSEC cho h thng DNS ca cc ISP, nh ng k tn min .VN.
- Kha o to nng cao: Cung cp kin thc nng cao, do chuyn gia nc
ngoi ging dy n t t chc qun l tn min v a ch Internet quc t (ICANN)
H Hng Ngc L14VT 13

v Trung tm thng tin mng Chu Thi Bnh Dng (APNIC). Kha o to din
ra t ngy 19/07 n ngy 21/07/2016, vi s c mt ca gn 40 hc vin n t cc
c quan qun l nh nc, ISP, Nh ng k tn min.
1.4.2. L trnh trin khai DNSSEC ti Vit Nam
Theo 1524/Q-BTTTT vo ngy 23/10/2014 do B trng B Thng tin v
Truyn thng k ph duyt n trin khai tiu chun DNSSEC cho h thng my
ch tn min (DNS) ".vn", theo xc nh mc tiu, phm vi, ni dung, l trnh v
vic t chc thc hin vi 03 giai on trin khai:
- Giai on chun b (2015): Xy dng k hoch, chun b cc iu kin cn
thit v truyn thng, nhn lc, k thut, ti chnh trin khai tiu chun DNSSEC
i vi h thng DNS ti cc c quan, t chc, doanh nghip.
- Giai on khi ng (2016): Chnh thc trin khai tiu chun DNSSEC trn
h thng DNS quc gia, ng thi xy dng nng cp h thng DNS ti cc doanh
nghip cung cp dch v Internet, cc nh ng k tn min ".vn", cc c quan ng,
Nh nc kt ni th nghim vi h thng DNS quc gia theo tiu chun DNSSEC.
- Giai on trin khai (2017): Hon thin v nng cp h thng DNS quc gia,
h thng qun l tn min quc gia hot ng an ton, tin cy theo tiu chun
DNSSEC p ng nhu cu pht trin ca Internet Vit Nam trong cc giai on tip
theo. Cc doanh nghip cung cp dch v Internet, cc nh ng k tn min ".vn", cc
c quan ng, Nh nc chnh thc trin khai h thng DNS theo tiu chun
DNSSEC v cung cp dch v s dng, truy vn tn min ".vn" theo tiu chun
DNSSEC cho ngi s dng Internet ti Vit Nam.
Vic trin khai DNSSEC ti Vit Nam c thc hin tng bc. Trc ht cn
trin khai DNSSEC trn h thng my ch tn min DNS quc gia ".vn", trn c s
s trin khai DNSSEC cc my ch tn min cp di nh tn min cp 2 dng
chung (.gov.vn, .net.vn,...); h thng DNS ca cc ISP, cc Nh ng k tn min,
doanh nghip cung cp dch v DNS Hosting, c quan ng, Nh nc, khch
hng/ch s hu tn min ".vn".
Vic trin khai p dng tiu chun DNSSEC cho h thng my ch tn min
(DNS) ".vn" gip m bo chnh xc, tin cy vic s dng, truy vn tn min ".vn"
trn Internet thng qua vic p dng thng nht tiu chun DNSSEC i vi cc h
thng DNS ".vn" ti Vit Nam. m bo kt ni lin thng theo tiu chun DNSSEC
gia h thng DNS quc gia ".vn" vi h thng my ch tn min gc (DNS ROOT)
v cc h thng DNS quc t. nh du bc chuyn bin quan trng trong vic pht
trin h tng Internet ti Vit Nam, sn sng y mnh pht trin cc dch v thng
mi in t, chnh ph in t ti Vit Nam mt cch an ton nht.
H Hng Ngc L14VT 14

1.4.3. Tnh hnh tiu chun ha DNSSEC ti Vit Nam

Trn tinh thn n trin khai DNSSEC ca Quyt nh 1524/Q-BTTTT, B
Thng tin v Truyn thng c nhng ng thi ban u trong vic xy dng v ban
hnh cc tiu chun v DNSSEC. Cc tiu chun c xy dng trn c s cc tiu
chun quc t do t chc IETF ban hnh gm:
TT Tn tiu chun Tiu chun gc Nm Ghi ch
1 Cc yu cu v hng RFC 4033: DNS Security 2015 xy dng
dn bo mt DNSSEC Introduction and
Requirements
2 Cc thay i v giao RFC 4035: Protocol 2015 xy dng
thc i vi cc bn Modifications for the
m rng bo mt DNS DNS Security Extensions
c3 Cc bn ghi ti nguyn RFC 4034: Resource 2016 ang xy dng
cho cc bn m rng Records for the DNS
bo mt DNS Security Extensions
4 Xc thc t chi s tn RFC 5155: DNS Security 2016 ang xy dng
ti s dng hm bm (DNSSEC) Hashed
trong DNSSEC Authenticated Denial of
Existence
Bng 1.1 Mt s TCVN v ang trong qu trnh xy dng
- TCVN xxx - 2015, Cc yu cu v hng dn bo mt DNSSEC l tiu

chun k thut xy dng da trn tiu chun li v DNSSEC ca IETF, RFC 4033.
y l tiu chun u tin trong b 3 tiu chun li quan trng, mang tnh bt buc khi
trin khai DNSSEC. Tiu chun ny a ra cc nh ngha, gii thiu, hng dn v
cc yu cu cn thit khi trin khai DNSSEC trong h thng tn min quc gia.
- TCVN xxx - 2015, Cc thay i v giao thc i vi bn m rng bo mt
DNS, xy dng da trn tiu chun li RFC 4035 ca IETF. Tiu chun cung cp cc
thay i v giao thc khi trin khai bo mt trong DNS so vi DNS khi khng thc
hin cc m rng bo mt.
- TCVN xxx - 2016, Cc bn ghi ti nguyn trong cc bn m rng bo mt
DNS, ang trong qu trnh xy dng, da trn tiu chun li RFC 4034 ca IETF.
y l mt tiu chun quan trng trong vic gii thiu v a ra cc bn ghi ti
nguyn cn thit v quan trng trong vic trin khai DNSSEC.
- TCVN xxx - 2016, Xc thc t chi s tn ti s dng hm bm trong
DNSSEC, ang trong qu trnh xy dng da trn tiu chun thuc nhm b sung
H Hng Ngc L14VT 15

RFC 5155 ca IETF. Tiu chun cung cp ni dung v cch thc s dng bn ghi bo
mt k tip NSEC3 hot ng trong c ch xc thc t chi s tn ti s dng hm
bm trong DNSSEC. Mt bn ghi NSEC3 vi u im bo mt tt hn NSEC khi c
kh nng chng li cc tn cng kiu t in hay tn cng lit k d liu DNS.
1.5. Kt lun
Trong chng ny gii thiu tng quan v H thng tn min DNS. Bao gm
nh ngha v cc thnh phn chnh ca h thng tn min DNS. Cc l hng trong vn
bo mt ca DNS v s cn thit trong vic khc phc nhng vn . DNSSEC -
ng dng bo mt tn min c a ra gii quyt bi ton bo mt cho DNS. C
th v DNSSEC gii thiu v khi nim, mc ch chc nng. Tnh hnh trin khai
cng nh cc tiu chun chun ha ca DNSSEC trn th gii v ti Vit Nam. Nu ra
mt s t chc tiu chun trn Th Gii. V l trnh trin khai Vit Nam.
Vi tnh cht m bo an ninh mng cng nh u im v kh nng ng dng
thc t cao nn vic a DNSSEC p dng ti Vit Nam l ht sc cn thit.
H Hng Ngc L14VT 16

n tt nghip i hc Chng 2: Nghin cu v DNSSEC
CHNG II: NGHIN CU V DNSSEC

2.1. M hnh trin khai DNSSEC
Hnh 2.1. M hnh trin khai DNSSEC

Qu trnh trin khai DNSSEC bao gm: K chuyn giao tn min .VN t DNS
Root v my ch DNS quc gia qun l v k chuyn giao tn min t my ch DNS
quc gia cho cc n v khc qun l. Vic trin khai DNSSEC trn h thng DNS
quc gia gm cc bc nh sau:
Trn my ch DNS:
- BC 1: To cp kha ring v kha cng khai
- BC 2: Lu tr bo mt kha ring
- BC 3: Phn phi kha cng khai
- BC 4: K zone
- BC 5: Thay i kha
- BC 6: K li zone
Trn resolver:
H Hng Ngc L14VT 17

- BC 7: Cu hnh Trust Anchors

- BC 8: Thit lp chui tin cy v xc thc ch k
2.2. Cc bn ghi ti nguyn DNSSEC
Trong DNSSEC a ra khc nim cc Signed Zone. Signed Zone c kha cng
khai DNS (DNSKEY), ch k bn ghi ti nguyn (RRSIG), bo mt k tip (NSEC)
v ty chn cc bn ghi k chuyn giao (DS) ty theo cc nguyn tc c quy nh.
2.2.1. Cc bn ghi DNSKEY trong mt Zone
k mt Zone, qun tr Zone to mt hoc nhiu cp kha cng khai/ mt
v s dng (cc) kha mt k cc tp bn ghi c thm quyn trong Zone . i
vi mi kha mt c s dng to cc bn ghi RRSIG trong mt Zone, Zone ny
nn c mt bn ghi DNSKEY ca Zone cha kha cng khai tng ng. Bn ghi
DNSKEY cha kha cng khai ny ca Zone phi c bit kha cng khai ca Zone
thuc trng Flags RDATA c thit lp. Cc kha cng khai lin kt vi cc hot
ng DNS khc c th c cha trong cc bn ghi DNSKEY khng c xc nh l
cc kha cng khai ca Zone th khng c s dng kim tra cc RRSIG.
Khi qun tr Zone ny nh mt Signed Zone c th c s dng ngoi chc
nng mt Island of Security th Zone apex phi c t nht mt bn ghi DNSKEY c
hot ng nh mt im truy nhp bo mt vo Zone ny. Do , im truy nhp bo
mt ny c th c s dng lm ch ca mt chuyn giao bo mt thng qua mt
bn ghi DS tng ng trong Zone.
Bn ghi chng thc DNSKEY cho Zone phi c bit Zone Key ca trng d liu
c t gi tr l 1. Nu qun tr zone c nh k mt zone chng thc th zone
chnh phi cha ng t nht mt bn ghi DNSKEY hot ng nh mt im bo
mt trong zone. im bo mt c dng cng vi bn ghi DS tng ng zone
cha trong hot ng chuyn giao DNS.
2.2.2. Cc bn ghi RRSIG trong mt Zone
i vi mi tp bn ghi c thm quyn trong mt Signed Zone, phi c t nht
mt bn ghi RRSIG p ng cc yu cu sau:
- Tn s hu RRSIG ny ging tn s hu tp bn ghi ny.
- Lp RRSIG ny ging lp ca tp bn ghi ny.
- Trng RRSIG Type Covered ging loi ca tp bn ghi ny.
- Trng RRSIG Original TTL ging TTL ca tp bn ghi ny.
- TTL ca bn ghi RRSIG ny ging TTL ca tp bn ghi ny.
- Trng RRSIG Labels ging s nhn trong tn s hu ca tp bn ghi ny,
khng tnh nhn null root v nhn pha tri ngoi cng khi n l mt k t i din.
H Hng Ngc L14VT 18

- Trng Name ca RRSIG Signer ging tn ca zone cha tp bn ghi ny.

- Cc trng RRSIG Algorithm, Name ca Signer v Key Tag ging bn ghi
DNSKEY cha kha cng khai ca zone ti zone apex.
Tp bn ghi c th c nhiu bn ghi RRSIG lin kt vi n. V bn ghi RRSIG
lin kt cht vi cc tp bn ghi m cc ch k c cc bn ghi RRSIG cha khng
ging tt c cc loi bn ghi DNS khc, khng to nn cc tp bn ghi. C th l cc
gi tr TTL trong cc bn ghi RRSIG c tn s hu chung khng tun theo cc nguyn
tc ca tp bn ghi.
Mt bn ghi RRSIG khng c t k v vic k mt bn ghi RRSIG s khng
c gi tr v s to mt vng lp khng xc nh trong qu trnh k.
Tp bn ghi NS xut hin ti tn ca zone apex phi c k nhng cc tp bn
ghi NS xut hin ti cc im chuyn giao (tc l cc tp bn ghi NS trong zone cha
m y quyn tn ny cho cc my ch tn min ca zone con) khng c k. Cc tp
bn ghi a ch lin kt c lin kt vi nhng y quyn khng c k.
Phi c mt RRSIG i vi mi tp bn ghi s dng t nht mt DNSKEY ca
mi thut ton trong tp bn ghi DNSKEY ca zone apex. Tp bn ghi DNS ca zone
apex ny phi c t k bng mi thut ton xut hin trong tp bn ghi DS c t
pha cha y quyn (nu c).
2.2.3. Bn ghi k chuyn giao (DS) trong mt Zone
Bn ghi DS Delegation Signer thit lp chng thc gia nhng zone DNS. Mt
bn ghi DS c biu din cho bn ghi chuyn giao khi vng con c k. Bn ghi DS
kt hp vi bn ghi RRSIG chng thc cho zone c chuyn giao ti my ch tn
min cha. Bn ghi DS c khai bo trc, v bn ghi RRSIG khai bo sau ging nh
khai bo xc thc cho mt bn ghi ti nguyn thng thng.
Trng TTL ca tp bn ghi DS phi ng vi trng TTL ca tp bn ghi NS
chuyn giao (c ngha l tp bn ghi NS trong cng vng cha tp bn ghi DS). Vic
xy dng mt bn ghi DS i hi phi c hiu bit ca bn ghi DNSKEY tng ng
trong vng con a ra c cc giao tip gia vng con v vng cha.
2.2.4. Cc bn ghi NSEC trong mt Zone
Mi tn s hu trong zone c d liu c thm quyn hoc mt tp bn ghi NS
ca im chuyn giao phi c mt bn ghi ti nguyn NSEC. Gi tr TTL i vi bt
k bn ghi NSEC nn ging trng gi tr TTL ti thiu trong bn ghi SOA ca zone
ny.
Mt bn ghi NSEC (v tp bn ghi RRSIG c lin kt vi n) khng c l
tp bn ghi duy nht tn s hu c th bt k no. Do , qu trnh k ny khng
c to cc bn ghi NSEC hoc RRSIG i vi cc nt tn s hu cha l tn s hu
H Hng Ngc L14VT 19

ca bt k tp bn ghi trc khi zone ny c k. Cc l do chnh ca iu ny l cn

s nht qun khng gian tn gia cc phin bn c k v cha k ca cng mt
zone v gim nguy c mt nht qun c trng trong cc my ch tn min quy
khng c bo mt.
nh x loi ca mi bn ghi NSEC trong mt Signed Zone phi ch ra s c mt
ca c chnh bn ghi NSEC ny v bn ghi RRSIG tng ng.
S khc nhau gia b cc tn s hu c yu cu cc bn ghi RRSIG v b cc
tn s hu c yu cu cc bn ghi NSEC l tinh vi v ng nu r. Cc bn ghi RRSIG
c cc tn s hu ca tt c cc tp bn ghi c thm quyn. Cc bn ghi NSEC c
cc tn s hu ca tt c cc tn m Signed Zone c thm quyn i vi chng v
cc tn s hu ca nhng y quyn t Signed Zone sang zone con ca n. Cc bn ghi
NSEC hoc RRSIG khng c (trong zone cha) cc tn s hu ca cc tp bn ghi a
ch lin kt. Tuy nhin, ch rng s khc bit ny ch l phn d thy nht trong qu
trnh k zone v cc tp bn ghi NSEC l d liu c thm quyn v do c k. Do
, bt k tn s hu no c mt tp bn ghi NSEC cng s c cc bn ghi RRSIG
trong Signed Zone.
Vic nh x i vi bn ghi NSEC im chuyn giao yu cu s quan tm c
bit. Cc bit tng ng tp bn ghi NS y quyn v bt k cc tp bn ghi m zone cha
c d liu c thm quyn i vi chng phi c thit lp; cc bit tng ng bt k
tp bn ghi khng l NS m pha cha khng c thm quyn i vi chng phi xa.
2.2.5. Bn ghi NSEC3
C 2 vn khi s dng bn ghi NSEC trong DNSSEC:
- Vn th nht: d liu c th b tn cng zone walking. C th thy theo v
d trn, cc bn ghi NSEC tr t mt tn min ny n mt tn min khc: tn min
example.org tr ti tn min a.example.org, ri t a.example.org tr tip n
d.example.org v cui cng tr tr li example.org, to thnh mt chui bn ghi
NSEC. Do , k tn cng c th ti xy dng li cu trc zone example.org nhm
thm d d liu v ngn vic trao i d liu trong zone.
- Vn th hai: khi pht trin zone c chuyn giao trung tm kch c ln trong
DNSSEC, tt c tn min trong zone c gn mt bn ghi NSEC km bn ghi k
RRSIG. iu lm tng kch thc zone (khi k). C ngha l cc nh khai thc pht
trin DNSSEC s i mt vi tng chi ph u t.
gii quyt cc vn ny, NSEC3 c gii thiu v xut nhm gii quyt
cc vn m NSEC gp phi nhng ng thi phc tp s dng cng cao hn.
NSEC3 ra i khng phi thay th NSEC m cng tn ti trong DNSSEC. Tuy
nhin, trong cng mt zone, khng th s dng ng thi c NSEC v NSEC3. C
H Hng Ngc L14VT 20

ngha l, c hai cch thc khc nhau thc hin xc thc t chi s tn ti: NSEC v
NSEC3.
NSEC3 s dng m ha hm bm tt c tn min. Do , chui bn ghi NSEC3
c sp xp theo th t m bm, thay v th t chnh tc. C th thy, v d trn,
theo th t chnh tc, tn min k tip ca example.org l a.example.org. Tuy
nhin, v tt c tn min khi chuyn i sang NSEC3 u c m ha bm nn tn
min k tip ca example.org khng phi l a.example.org na m l
d.example.org. V vy, tn cng zone walking kh thc hin lit k thm d d
liu.
V cu trc bn ghi NSEC3, nh dng RDATA ca bn ghi ti nguyn NSEC3
c chia thnh cc trng c lp v cc trng tng ng vi cc trng ca tn
min.
Trng Hash Algorithm: nh ngha thut ton m ha bm c s dng

to nn gi tr m bm v c gi tr l mt octet n nht.
Trng Flags: Bao gm 8 c 1 bit c th c s dng ch bo tin trnh khc
nhau. Tt c c khng c nh ngha phi bng 0 v c gi tr l mt octet n nht.
C Opt-Out l bit c trng s thp nht, c nh dng nh di y:
Trng Iteration: Xc nh s ln lp b sung cho s ln lp m hm bm

thc hin. S ln lp ln hn lm tng tnh bn vng ca gi tr m ha bm chng li
cc cuc tn cng dng t in nhng mt nhiu thi gian tnh ton hn c my ch
v Resolver. Trng Iterations c biu din bng mt s nguyn khng du 16-bit,
vi bit u c trng s cao nht.
Trng Salt Length: c biu din bng mt octet khng du v nh ngha
di ca trng Salt theo cc octet, c di gi tr t 0 n 255. Nu gi tr bng 0, th
trng Salt sau y b b qua.
H Hng Ngc L14VT 21

Trng Salt (nu c): c m ha bng mt chui octet nh phn v c b

sung vo tn min gc trc khi m ha bm ngn chn cc cuc tn cng dng t
in c thc hin.
Trng Hash Length: c biu din bng mt octet khng du v nh ngha
di ca trng Next Hashed Owner Name, c di gi tr t 1 n 255 octet.
Trng Next Hashed Owner Name: Khng c m ha base32, khc vi tn
min ca bn ghi ti nguyn NSEC3. y l gi tr m ha bm nh phn khng sa
i. Khng bao gm tn ca zone cha n. di ca trng ny c trng Hash
Length ng trc quyt nh.
Trng Type Bit Maps: nh danh cc loi bn ghi ti nguyn hin hu trong tn
min gc ca bn ghi ti nguyn NSEC3.
i chiu cu trc gia NSEC v NSEC3, ta c 1 v d khc nh sau:
Mt bn tin khi s dng bn ghi ti nguyn NSEC vi cu trc nh sau:
Trong khi, bn tin s dng bn ghi ti nguyn NSEC3 tng ng vi tn min

c m ha bm (m ha base32 vi m hex m rng):
C th thy, tn min v tn min k tip c m ha hm bm khi s dng bn

ghi NSEC3. Ngoi ra, bn tin cha bn ghi ti nguyn NSEC3 cn b sung thm bn
ti nguyn NSEC3PARAM, gm cc trng HashAlg, Flags, Iteration v Salt.
C mt lu , trong DNSSEC, vic s dng NSEC3 khng phi lc no cng
mang li hiu qu. i vi cc zone c cu trc mc cao nh cc zone ip6.arpa hay in-
addr.arpa, vn c th d dng b tn cng zone walking thm d d s dng bn ghi
NSEC3 do cu trc xy dng ca zone. Ngoi ra, vi cc tn min nh, cc zone t
quan trng cng c th d dng b suy on ra. Trong cc trng hp nh vy, bn ghi
NSEC3 khng th ngn chn tn cng zone walking m cn khin vic tnh ton mt
H Hng Ngc L14VT 22

nhiu thi gian hn gia cc my ch c thm quyn v cc thnh phn xc minh tnh
hp l.
2.3. Cc phn m rng trong DNSSEC
Security-Aware Name Server phi h tr EDNS0 phn m rng kch c bn tin
phi h tr kch c bn tin ti thiu 1220 octet v nn h tr kch c bn tin 4000
octet. V cc gi tin IPv6 ch c th c my tnh ch ngun phn on, Security-
Aware Name Server nn thc hin cc bc m bo rng cc gi thng tin UDP n
truyn qua IPv6 c phn on mc MTU IPv6 ti thiu nu cn tr phi bit MTU
ca tuyn.
Mt Security-Aware Name Server nhn mt truy vn DNS khng cha EDNS
OPT gi - bn ghi ti nguyn hoc c bit DO trng phi p ng cc bn ghi ti
nguyn RRSIG, DNSKEY v NSEC nh p ng bt k tp bn ghi ti nguyn khc
v khng c thc hin bt k hnh ng b sung c trnh by di y. V loi
bn ghi ti nguyn DS c thuc tnh khc thng l ch xut hin trong zone cha cc
im chuyn giao, cc bn ghi ti nguyn DS lun lun yu cu mt hnh ng c
bit no .
Cc Security-Aware Name Server nhn cc truy vn r rng v cc loi bn ghi
ti nguyn bo mt ph hp ni dung ca nhiu hn mt zone m n phc v (v d
cc bn ghi ti nguyn NSEC v RRSIG trn v di im chuyn giao ni my ch
ny c thm quyn i vi c hai zone) nn hnh x nht qun. My ch tn min ny
c th tr v mt trong cc ni dung sau min l tr li ny lun nht qun i vi mi
truy vn n my ch tn min ny:
Cc tp bn ghi ti nguyn trn im chuyn giao.
Cc tp bn ghi ti nguyn di im chuyn giao
C hai tp bn ghi ti nguyn trn v di im chuyn giao.
Phn tr li trng (khng c bn ghi ti nguyn).
Mt tr li khc no .
Mt li.
DNSSEC phn b hai bit mi trong phn mo u bn tin DNS: bit CD
(Checking Disabled) v bit AD (Authentic Data). Bit CD c cc Resolver iu
khin; mt Security-Aware Name Server phi sao chp bit CD t mt truy vn thnh
mt tr li tng ng. Bit AD c cc my ch tn min iu khin; Security-Aware
Name Server phi b qua vic thit lp bit AD trong cc truy vn. Security-Aware
Name Server ng b cc bn ghi ti nguyn CNAME t cc bn ghi ti nguyn
DNAME khng nn to cc ch k i vi cc bn ghi ti nguyn CNAME c ng
b ny.
H Hng Ngc L14VT 23

2.3.1. Cc my ch tn min c thm quyn

Da vo vic nhn mt truy vn lin quan c bit DO EDNS OPT gi - bn ghi ti
nguyn c thit lp, my ch tn min c thm quyn c bo mt i vi mt
Signed Zone phi cha cc bn ghi ti nguyn RRSIG, NSEC v DS b sung tun theo
cc nguyn tc sau:
- Cc bn ghi ti nguyn RRSIG c th c s dng xc thc mt tr li phi
c cha trong tr li ny.
- Cc bn ghi ti nguyn NSEC c th c s dng cung cp xc nhn t
chi s tn ti phi c cha trong tr li ny.
- Tp bn ghi ti nguyn DS hoc mt bn ghi ti nguyn NSEC ch ra rng
khng c bn ghi ti nguyn DS no tn ti phi c cha trong cc tham chiu mt
cch t ng
Cc nguyn tc ny ch p dng cho cc tr li trong cc c php truyn thng
tin v s c hoc khng c cc bn ghi ti nguyn. Do , cc nguyn tc ny khng
a ra cc tr li ging nh Khng c thc hin i vi RCODE hay B t chi
i vi RCODE 5.
DNSSEC khng thay i giao thc DNS zone transfer.
Cc bn ghi ti nguyn RRSIG trong mt hi p
Khi tr li mt truy vn c bit DO c thit lp, my ch tn min c thm
quyn c bo mt nn c gng gi cc bn ghi ti nguyn RRSIG m Security-Aware
Resolver c th s dng xc thc cc tp bn ghi ti nguyn ny trong tr li ny.
Mt my ch tn min nn thc hin mi c gng gi tp bn ghi ti nguyn ny v
(cc) RRSIG lin kt ca n trong mt tr li. Vic cha cc bn ghi ti nguyn
RRSIG trong mt tr li tun theo cc nguyn tc sau:
Khi t mt tp bn ghi ti nguyn c k trong phn tr li, my ch tn
min ny cng phi t cc bn ghi ti nguyn RRSIG ca n trong phn tr li .
Cc bn ghi ti nguyn RRSIG ny c mc u tin bao hm cao hn bt k cc tp
bn ghi ti nguyn khc c th phi c bao hm. Khi khng gian khng cho php
bao hm cc bn ghi ti nguyn RRSIG ny, my ch tn min ny phi thit lp bit
TC.
Khi t mt tp bn ghi ti nguyn c k trong phn thm quyn, my ch
tn min cng phi t cc bn ghi ti nguyn RRSIG ca n trong phn thm quyn.
cc bn ghi ti nguyn RRSIG ny c mc u tin bao hm cao hn bt k cc tp bn
ghi ti nguyn khc c th phi c bao hm. Khi khng gian khng cho php bao
hnh cc bn ghi ti nguyn RRSIG ny, my ch tn min phi thit lp bit TC.
Khi t mt tp bn ghi ti nguyn c k trong phn b sung, my ch tn
min cng phi t cc bn ghi ti nguyn RRSIG ca n trong phn b sung. Khi
H Hng Ngc L14VT 24

khng gian khng cho php bao hm c tp bn ghi ti nguyn ny v cc bn ghi ti

nguyn RRSIG lin kt ca n, my ch tn min c th gi li tp bn ghi ti nguyn
ny v th cc bn ghi ti nguyn RRSIG. Khi iu ny xy ra, my ch tn min
khng c thit lp bit TC v cc bn ghi ti nguyn RRSIG khng ph hp.
Cc bn ghi ti nguyn DNSKEY trong mt hi p
Khi tr li mt truy vn c bit DO c thit lp v yu cu cc bn ghi ti
nguyn SOA hoc NS zone apex c k, my ch tn min c thm quyn c bo
mt i vi zone c th tr v tp bn ghi ti nguyn DNSKEY ca zone apex ny
trong phn b sung. Trong trng hp ny, tp bn ghi ti nguyn DNSKEY v cc
bn ghi ti nguyn RRSIG lin kt c mc u tin thp hn bt k thng tin khc c
t trong phn b sung. My ch tn min khng nn bao hm tp bn ghi ti nguyn
DNSKEY ny tr khi c khng gian trong bn tin tr li dnh cho c tp bn ghi ti
nguyn DNSKEY v (cc) bn ghi ti nguyn RRSIG lin kt ca n. Khi khng c
khng gian bao hm DNSKEY v cc bn ghi ti nguyn RRSIG ny, my ch tn
min phi loi b chng v khng c thit lp bit TC v cc bn ghi ti nguyn ny
khng ph hp.
Cc bn ghi ti nguyn NSEC trong mt hi p
Khi tr li mt truy vn c bit DO c thit lp , my ch tn min c thm
quyn c bo mt i vi zone phi bao hm cc bn ghi ti nguyn NSEC trong
mt trong cc trng hp sau:
- Khng c d liu: Zone cha cc tp bn ghi ti nguyn ph hp hon ton
<SNAME, SCLASS> nhng khng cha bt k tp bn ghi ti nguyn ph hp hon
ton <SNAME, SCLASS, STYPE>
- Li tn min: Zone khng cha bt k tp bn ghi ti nguyn ph hp
<SNAME, SCLASS> mt cch hon ton hoc thng qua phn m rng tn min k
t i din
- Tr li k t i din: Zone khng cha bt k tp bn ghi ti nguyn ph hp
hon ton <SNAME, SCLASS> nhng cha mt tp bn ghi ti nguyn ph hp
<SNAME, SCLASS, STYPE> thng qua phn m rng tn min k t i din.
- Khng c d liu k t i din: Zone khng cha bt k tp bn ghi ti nguyn
ph hp hon ton <SNAME, SCLASS> v cha mt hoc nhiu tp bn ghi ti
nguyn ph hp <SNAME, SCLASS> thng qua phn m rng tn min k t i
din nhng khng cha bt k tp bn ghi ti nguyn ph hp <SNAME, SCLASS,
STYPE> thng qua phn m rng tn min k t i din.
Trong mi trng hp ny, my ch tn min bao hm cc bn ghi ti nguyn
NSEC trong tr li ch ra rng s ph hp hon ton i vi <SNAME, SCLASS,
H Hng Ngc L14VT 25

STYPE> khng c trong zone ny v rng tr li ny my ch tn min tr v l ng

vi d liu trong zone ny.
Cc bn ghi ti nguyn NSEC: Hi p khng c d liu
Khi zone cha cc tp bn ghi ti nguyn ph hp <SNAME, SCLASS> nhng
khng cha tp bn ghi ti nguyn ph hp <SNAME, SCLASS, STYPE> th my
ch tn min phi bao hm bn ghi ti nguyn NSEC dnh cho <SNAME, SCLASS>
cng vi (cc) bn ghi ti nguyn RRSIG lin kt ca n trong phn thm quyn ca
tr li. Khi khng gian khng cho php bao hm bn ghi ti nguyn NSEC hoc (cc)
bn ghi ti nguyn RRSIG lin kt ca n, my ch tn min phi thit lp bit TC.
Khi tn min tm kim tn ti, phn m rng tn min k t i din khng p
dng i vi truy vn ny v mt bn ghi ti nguyn NSEC c k duy nht
ch ra rng loi bn ghi ti nguyn c yu cu khng tn ti.
Cc bn ghi ti nguyn NSEC: Hi p li tn min
Khi zone khng cha bt k tp bn ghi ti nguyn ph hp <SNAME,
SCLASS> hon ton hoc thng qua phn m rng tn min k t i din th my
ch tn min phi bao hm cc bn ghi ti nguyn NSEC sau trong phn thm quyn
cng vi cc bn ghi ti nguyn RRSIG lin kt ca n:
- Mt bn ghi ti nguyn NSEC ch ra rng khng c ph hp hon ton dnh
cho <SNAME, SCLASS>.
- Mt bn ghi ti nguyn NSEC ch ra rng zone ny khng cha cc tp bn ghi
ti nguyn ph hp <SNAME, SCLASS> thng qua phn m rng tn min k t i
din.
Trong mt s trng hp, mt bn ghi ti nguyn NSEC c th ch ra c hai iu
ny. Khi , my ch tn min ch nn bao hm bn ghi ti nguyn NSEC ny v (cc)
bn ghi ti nguyn RRSIG ca n trong phn thm quyn.
Khi khng gian khng cho php bao hm cc bn ghi ti nguyn NSEC v
RRSIG ny, my ch tn min phi thit lp bit TC.
Cc tn min ch ca cc bn ghi ti nguyn NSEC v RRSIG ny khng ph
thuc vo phn m rng tn min k t i din khi cc bn ghi ti nguyn ny c
bao hm trong phn thm quyn ca tr li.
Dng tr li bao hm cc trng hp trong SNAME tng ng mt tn min
trng khng kt thc trong zone (mt tn min khng l tn min ch i vi bt k
tp bn ghi ti nguyn nhng l tn min cha ca mt hoc nhiu tp bn ghi ti
nguyn)
Cc bn ghi ti nguyn NSEC: Hi p tr li k t i din
H Hng Ngc L14VT 26

Khi zone ny khng cha bt k cc tp bn ghi ti nguyn ph hp hon ton

<SNAME, SCLASS> nhng cha mt tp bn ghi ti nguyn ph hp <SNAME,
SCLASS, STYPE> thng qua phn m rng tn min k t i din, my ch tn
min ny phi cha tr li c phn m rng k t i din v cc bn ghi ti nguyn
RRSIG c phn m rng k t i din tng ng trong phn tr li v phi cha
trong phn thm quyn mt bn ghi ti nguyn NSEC v (cc) bn ghi ti nguyn
RRSIG tng ng ch ra rng zone ny khng cha mt ph hp gn vi <SNAME,
SCLASS>. Khi khng gian khng cho php bao hm tr li, cc bn ghi ti nguyn
NSEC v RRSIG, my ch tn min ny phi thit lp bit TC.
Cc bn ghi ti nguyn NSEC: Hi p khng c d liu k t i din
Trng hp ny l s kt hp ca cc trng hp trc. Zone ny khng cha s
ph hp hon ton i vi <SNAME, SCLASS> v mc d zone ny cha cc tp bn
ghi ti nguyn ph hp <SNAME, SCLASS> thng qua phn m rng k t i din,
khng c tp bn ghi ti nguyn no ph hp STYPE. My ch tn min phi bao hm
cc bn ghi ti nguyn NSEC sau trong phn thm quyn cng vi cc bn ghi ti
nguyn RRSIG lin kt ca chng:
- Mt bn ghi ti nguyn NSEC ch ra rng khng c tp bn ghi ti nguyn no
ph hp STYPE tn min ch k t i din m ph hp <SNAME, SCLASS>
thng qua phn m rng k t i din.
- Mt bn ghi ti nguyn NSEC ch ra rng khng c tp bn ghi ti nguyn no
trong zone ny ph hp gn vi <SNAME, SCLASS>.
Trong mt s trng hp, mt bn ghi ti nguyn NSEC n c th ch ra c hai
iu ny. Khi , my ch tn min ch nn bao hm bn ghi ti nguyn NSEC ny v
(cc) bn ghi ti nguyn RRSIG ca n trong phn thm quyn.
Tn min ch ca cc bn ghi ti nguyn NSEC v RRSIG ny khng ph thuc
vo phn m rng tn min k t i din khi cc bn ghi ti nguyn ny c bao
hm trong phn thm quyn ca tr li.
Khi khng gian khng cho php bao hm cc bn ghi ti nguyn NSEC v
RRSIG ny, my ch tn min phi thit lp bit TC.
Tm cc bn ghi ti nguyn NSEC ng
Nh c trnh by trn, c mt s tnh hung trong my ch tn min c
thm quyn c bo mt phi t mt bn ghi ti nguyn NSEC ch ra rng khng c
tp bn ghi ti nguyn no ph hp mt SNAME c th hin c. Vic t mt bn ghi
ti nguyn NSEC trong mt zone c thm quyn nh vy tng i n gin, t nht
v mt khi nim. Phn tho lun sau gi thit rng my ch tn min ny c thm
quyn i vi zone cha cc tp bn ghi ti nguyn khng tn ti ph hp SNAME.
Thut ton sau c vit lm r d khng hiu qu.
H Hng Ngc L14VT 27

tm NSEC ch ra rng khng c tp bn ghi ti nguyn no ph hp tn min

N tn ti trong zone Z cha chng, xy dng mt cu S bao gm cc tn min ch ca
mi tp bn ghi ti nguyn trong Z, c sp xp theo th t chnh tc (RFC 4034)
khng c tn min trng lp. Tm tn min M ng ngay trc N trong S khi bt k
tp bn ghi ti nguyn c tn min ch N tn ti. M l tn min ch ca bn ghi ti
nguyn NSEC ch ra rng khng c tp bn ghi ti nguyn no tn ti c tn min ch
N.
Thut ton tm bn ghi ti nguyn NSEC ny ch ra rng mt tn min cho trc
khng c bt k k t i din c th p dng no che y l tng t nhng yu
cu thm mt bc. Ni mt cch chnh xc hn, thut ton tm NSEC ch ra rng
khng tp bn ghi ti nguyn no tn ti c tn min k t i din c th p dng l
ging thut ton tm bn ghi ti nguyn NSEC ch ra rng cc tp bn ghi ti nguyn
c bt k mt tn min ch khc khng tn ti. Phn thiu l phng php xc nh
tn min ca k t i din c th p dng khng tn ti. Thc t, iu ny l d dng
v my ch tn min c thm quyn tm kim s c mt ca tn min k t i din
ny nh mt phn ca bc (1).
Cc bn ghi ti nguyn DS trong mt hi p
Khi tr li mt truy vn c bit DO c thit lp, my ch tn min c thm
quyn c bo mt tr v mt tham chiu bao hm d liu DNSSEC cng vi tp bn
ghi ti nguyn NS ny.
Khi mt tp bn ghi ti nguyn DS c ti im chuyn giao, my ch tn min
phi tr v c tp bn ghi ti nguyn DS v (cc) bn ghi ti nguyn RRSIG lin kt
ca n trong phn thm quyn cng vi tp bn ghi ti nguyn NS ny.
Khi khng c tp bn ghi ti nguyn DS ti im chuyn giao, my ch tn min
phi tr v c bn ghi ti nguyn NSEC ch ra rng tp bn ghi ti nguyn DS khng
c v (cc) bn ghi ti nguyn RRSIG lin kt ca bn ghi ti nguyn NSEC ny cng
vi tp bn ghi ti nguyn NS. My ch tn min phi t tp bn ghi ti nguyn NS
trc tp bn ghi ti nguyn NSEC v (cc) bn ghi ti nguyn RRSIG lin kt ca n.
Vic bao hm cc bn ghi ti nguyn DS, NSEC v RRSIG lm tng kch c ca
cc bn tin tham chiu v c th lm cho mt vi hoc tt c cc bn ghi ti nguyn
lin kt b loi b. Khi khng gian khng cho php bao hm tp bn ghi ti nguyn DS
hoc NSEC v cc bn ghi ti nguyn RRSIG lin kt, my ch tn min phi thit lp
bit TC.
Hi p cc truy vn v cc bn ghi ti nguyn DS
Loi bn ghi ti nguyn DS l khc thng khi n ch xut hin v pha zone cha
ca zone cut. V d, tp bn ghi ti nguyn DS chuyn giao foo.example c
cha trong zone example m khng phi l zone foo.example. iu ny yu cu
H Hng Ngc L14VT 28

cc nguyn tc x l c bit i vi c cc my ch tn min v Resolver v my ch

tn min i vi zone con c thm quyn i vi tn min ny zone cut ny theo cc
nguyn tc DNS chun nhng zone con khng cha tp bn ghi ti nguyn DS ny.
Security-Aware Resolver gi cc truy vn n zone cha khi tm kim mt bn
ghi ti nguyn DS im chuyn giao. Tuy nhin, cn cc nguyn tc c bit trnh
lm nhm ln cc Security-Oblivious Resolver , chng c th b lin quan trong vic
x l mt truy vn nh vy (v d, trong mt cu hnh mng c bt buc mt Security-
Aware Resolver chuyn cc truy vn ca n qua mt security-oblivious recursive name
server). Phn cn li ca mc ny trnh by cch mt Security-Aware Name Server x
l cc truy vn theo trt t trnh xy ra vn ny.
Nhu cu i vi mt vic x l c bit ca mt Security-Aware Name Server
ch pht sinh khi tt c cc iu kin sau u tha mn:
- My ch tn min nhn c mt truy vn i vi tp bn ghi ti nguyn DS
ti zone cut.
- My ch tn min c thm quyn i vi zone con.
- My ch tn min khng c thm quyn i vi zone cha.
- My ch tn min khng thc hin quy.
Trong tt c cc trng hp khc, my ch tn min c cch c tp bn ghi ti
nguyn DS ny hoc khng cn c tp bn ghi ti nguyn DS ny theo cc nguyn tc
x l khng DNSSEC, do my ch tn min c th tr v tp bn ghi ti nguyn DS
hoc mt tr li li theo cc nguyn tc x l chun ny.
Tuy nhin, khi tt c cc iu kin trn c tha mn, my ch tn min c
thm quyn i vi SNAME nhng khng th cung cp tp bn ghi ti nguyn c
yu cu ny. Trong trng hp ny, my ch tn min phi tr v mt tr li c thm
quyn khng c d liu ch ra rng tp bn ghi ti nguyn DS khng tn ti trong
zone apex ca zone con.
Hi p cc truy vn i vi loi AXFR hoc IXFR
DNSSEC khng lm thay i qu trnh DNS zone transfer. Mt Signed Zone s
cha cc bn ghi ti nguyn RRSIG, DNSKEY v DS nhng cc bn ghi ti nguyn
ny khng c ngha c bit i vi mt hot ng ca zone transfer.
Khng yu cu mt my ch tn min c thm quyn phi kim tra xem mt
zone c k ng trc khi gi hoc nhn mt zone transfer.
Tuy nhin,my ch tn min c thm quyn c th la chn hy b mt zone
transfer khi zone ny khng tha mn bt k cc yu cu v k. Mc ch chnh ca
zone transfer l m bo rng tt c cc my ch tn min c cc bn sao chp
ging nhau ca zone. Mt my ch tn min c thm quyn la chn thc hin vic
H Hng Ngc L14VT 29

xc nhn zone ca chnh n khng c loi b mt s bn ghi ti nguyn v chp

nhn cc bn ghi ti nguyn khc mt cch c la chn.
Cc tp bn ghi ti nguyn DS ch xut hin pha cha ca zone cut v l d liu
c thm quyn trong zone cha. Nh vi bt k tp bn ghi ti nguyn c thm quyn
khc, tp bn ghi ti nguyn DS phi c bao hm trong cc zone transfer ca zone
m trong zone tp bn ghi ti nguyn ny l d liu c thm quyn. Trong trng
hp tp bn ghi ti nguyn DS, zone l zone cha.
Cc bn ghi ti nguyn NSEC xut hin trong c zone cha v con zone cut v l
d liu c thm quyn trong c zone cha v con. Cc bn ghi ti nguyn NSEC pha
cha v con zone cut khng ging nhau v bn ghi ti nguyn NSEC trong zone apex
ca zone con s lun lun ch ra s tn ti ca bn ghi ti nguyn SOA ca zone con
trong khi bn ghi ti nguyn NSEC pha cha zone cut s khng bao gi ch ra s tn
ti ca mt bn ghi ti nguyn SOA. Nh vi bt k cc bn ghi ti nguyn c thm
quyn khc, cc bn ghi ti nguyn NSEC phi c bao hm trong cc zone transfer
ca zone m trong zone chng l d liu c thm quyn. bn ghi ti nguyn NSEC
pha cha zone cut phi c bao hm trong cc zone transfer ca zone cha v NSEC
zone apex ca zone con phi c bao hm trong cc zone transfer ca zone con.
Cc bn ghi ti nguyn RRSIG xut hin trong c zone cha v con zone cut v
c thm quyn trong mi zone cha tp bn ghi ti nguyn c thm quyn ny m bn
ghi ti nguyn RRSIG cung cp ch k ny. Tc l, bn ghi ti nguyn RRSIG dnh
cho mt tp bn ghi ti nguyn DS hoc mt bn ghi ti nguyn NSEC pha cha zone
cut s c thm quyn trong zone cha v bn ghi ti nguyn RRSIG dnh cho tp bn
ghi ti nguyn bt k trong zone apex ca zone con s c thm quyn trong zone con.
Cc bn ghi ti nguyn RRSIG pha cha v con zone cut s khng bao gi ging
nhau v trng Name ca Signer ca mt bn ghi ti nguyn RRSIG trong zone apex
ca zone con s ch ra mt bn ghi ti nguyn DNSKEY trong zone apex ca zone con
trong khi trng ny ca bn ghi ti nguyn RRSIG pha cha zone cut s ch ra mt
bn ghi ti nguyn DNSKEY trong zone apex ca zone cha. Nh vi bt k cc bn
ghi ti nguyn c thm quyn khc, cc bn ghi ti nguyn RRSIG phi c bao hm
trong cc zone transfer ca zone m trong zone chng l d liu c thm quyn.
Cc bit AD v CD trong mt tr li c thm quyn
Cc bit CD v AD c thit k s dng trong truyn tin gia cc Security-
Aware Resolver v cc Security-Aware Recursive Name Server. Cc bit ny phn ln
khng lin quan n qu trnh truy vn bi cc my ch tn min c thm quyn c
bo mt.
Mt Security-Aware Name Server khng thc hin xc thc ch k i vi d
liu c thm quyn trong qu trnh truy vn, thm ch khi bit CD trng. Security-
Aware Name Server nn xa bit CD ny khi to mt tr li c thm quyn.
H Hng Ngc L14VT 30

Security-Aware Name Server khng c thit lp bit AD trong mt tr li tr

khi my ch tn min ny xem tt c cc tp bn ghi ti nguyn trong cc phn tr li
v thm quyn ca tr li l xc thc. Chnh sch a phng ca Security-Aware
Name Server c th xem d liu t mt zone c thm quyn l xc thc m khng phi
xc thc thm. Tuy nhin, my ch tn min ny khng c lm vy tr khi my ch
tn min ny c c zone c thm quyn thng qua cc bin php bo mt (v d nh
c ch zone transfer c bo mt) v khng c lm vy tr khi hnh v ny c
cu hnh r rng.
Mt Security-Aware Name Server m h tr quy phi theo cc nguyn tc
dnh cho cc bit CD v AD khi to mt tr li c lin qua d liu c c thng qua
quy.
2.3.2. My ch tn min quy (Recursive Name Server)
Security-Aware Recursive Name Server (my ch tn min quy c kh nng
nhn thc an ton) l phn t hot ng trong c vai tr ca Security-Aware Name
Server v Security-Aware Resolver. Pha Resolver tun theo cc nguyn tc thng
thng m v m m c p dng cho bt k Security-Aware Resolver.
Bit DO
Pha Resolver ca mt Security-Aware Recursive Name Server phi thit lp bit
DO khi gi cc yu cu m khng cn ti trng thi ca bit DO trong yu cu
khi to c pha my ch tn min nhn. Khi bit DO trong truy vn khi to khng
c thit lp, pha my ch tn min phi ly i cc bn ghi ti nguyn DNSSEC c
thm quyn bt k t tr li nhng khng c ly i cc loi bn ghi ti nguyn
DNSSEC bt k m truy vn khi to yu cu r rng.
Bit CD
Bit CD tn ti cho php Security-Aware Resolver khng cho php vic xc
thc ch k trong qu trnh truy vn c th ca mt Security-Aware Name Server.
Pha my ch tn min phi sao chp trng thi thit lp ca bit CD t mt truy
vn sang tr li tng ng.
Pha my ch tn min ca Security-Aware Recursive Name Server phi truyn
trng thi ca bit CD sang pha Resolver cng vi phn cn li ca mt truy vn khi
to sao cho pha Resolver s bit liu n c c yu cu phi kim tra d liu phn
hi m n tr v pha my ch tn min. Khi bit CD c thit lp, n ch ra rng
Resolver gc sn sng thc hin bt c vic xc thc m chnh sch a phng ca n
yu cu. Do , pha Resolver ca my ch tn min quy ny khng cn thc hin
xc thc cc tp bn ghi ti nguyn trong tr li. Khi bit CD c thit lp, my ch
tn min quy ny nn, nu c th, tr v d liu c yu cu v Resolver gc,
thm ch khi chnh sch xc thc a phng ca my ch tn min quy ny s loi
H Hng Ngc L14VT 31

b cc bn ghi ti nguyn ny trong truy vn. Do , bng cch thit lp bit CD,
Resolver gc ch ra rng n c trch nhim thc hin vic xc thc ca chnh n v
my ch tn min quy khng nn can thip.
Khi pha Resolver thc hin BAD cache v pha my ch tn min nhn mt truy
vn ph hp mt mc trong BAD cache ca pha Resolver, phn ng ca pha my ch
tn min ph thuc vo trng thi ca bit CD trong truy vn gc. Khi bit CD c thit
lp, pha my ch tn min nn tr v d liu t BAD cache. Khi bit CD khng c
thit lp, pha my ch tn min phi tr v RCODE 2 (li my ch).
Mc ch ca nguyn tc trn l cung cp d liu th n cc my khch c
kh nng thc hin cc kim tra ch k ca chnh chng ng thi bo v cc my
khch ph thuc pha Resolver ca Security-Aware Recursive Name Server thc hin
cc kim tra ny. Mt s l do c kh nng m vic xc thc ch k c th tht bi lin
quan cc iu kin c th khng c p dng ging nhau i vi my ch tn min
quy v my khch c lin quan. V d, xung nhp ca my ch tn min quy c
th c thit lp khng chnh xc hay my khch c th bit mt Island of Security
c lin quan m my ch tn min quy khng chia s. Trong nhng trng hp nh
vy, vic bo v my khch c kh nng thc hin xc thc ch k chnh n khi
vic thy d liu xu khng gip cho my khch.
Bit AD
Pha my ch tn min ca Security-Aware Recursive Name Server khng c
thit lp bit AD trong tr li tr khi my ch tn min ny xem xt tt c cc tp bn
ghi ti nguyn trong cc phn tr li v thm quyn l xc thc. Pha my ch tn
min nn thit lp bit AD khi v ch khi pha Resolver xem xt tt c cc tp bn ghi
ti nguyn trong phn tr li v bt k cc bn ghi ti nguyn phn hi ph nh c
lin quan trong phn thm quyn l xc thc. Pha Resolver phi theo ng th tc
xc nh liu cc bn ghi ti nguyn ny trong truy vn c xc thc. Tuy nhin,
tng thch ngc, my ch tn min quy c th thit lp bit AD khi tr li bao hm
cc bn ghi ti nguyn CNAME cha c k khi cc bn ghi ti nguyn CNAME ny
c th c ng b t mt bn ghi ti nguyn DNAME thm quyn m n cng
c bao hm trong tr li ny theo cc nguyn tc ng b. V d trong cc tr li
DNSSEC.
2.3.3. B phn gii
Gm hot ng ca cc thnh phn bao hm cc chc nng ca Security-Aware
Resolver (kh nng nhn bit an ton). Trong nhiu trng hp cc chc nng ny s
thuc Security-Aware Recursive Name Server (my ch tn min quy c kh nng
nhn thc an ton) nhng mt Security-Aware Resolver n c c nhiu yu cu
ging nhau.
H Hng Ngc L14VT 32

H tr EDNS
Security-Aware Resolver phi bao hm mt EDNS OPT gi - bn ghi ti nguyn
vi bit DO c thit lp khi gi cc truy vn.
Security-Aware Resolver phi h tr kch c bn tin ti thit 1220 octet nn h
tr kch c bn tin 4000 octet v phi s dng trng sender's UDP payload size
trong EDNS OPT gi-bn ghi ti nguyn thng bo kch c bn tin m n sn sng
nhn. lp ip ca Security-Aware Resolver phi x l cc gi tin UDP c phn on
mt cch chnh xc khng cn quan tm n cc gi tin c phn on ny l c
nhn thng qua IPv4 hay IPv6.
H tr kim tra ch k
Security-Aware Resolver phi h tr cc c ch kim tra ch v nn p dng
chng cho mi tr li nhn c tr khi:
- Security-Aware Resolver thuc Security-Aware Recursive Name Server v tr
li l kt qu ca quy da vo mt truy vn nhn c vi bit CD c thit lp.
- Tr li l kt qu ca mt quy c to trc tip thng qua mt dng giao
din ng dng hng dn Security-Aware Resolver khng c thc hin xc thc i
vi truy vn ny.
- Vic xc thc i vi truy vn ny c chnh sch ni b ngn chn.
- Vic h tr kim tra ch k ca mt Security-Aware Resolver phi bao hm
vic h tr kim tra cc tn min ch k t i din.
Cc Security-Aware Resolver c th truy vn cc bn ghi ti nguyn bo mt
thiu trong mt n lc thc hin xc thc. Cc hnh ng thc hin iu ny
phi bit rng cc tr li nhn c c th khng xc thc tr li gc. V d,
vic cp nht zone c th lm thay i (xa) thng tin cn thit gia cc truy vn
gc v k tip.
Khi c gng ly li cc bn ghi ti nguyn NSEC thiu t pha cha zone cut,
mt Security-Aware Resolver ch lp phi truy vn cc my ch tn min v zone
cha m khng phi l zone con.
Khi c gng ly li mt DS thiu, Security-Aware Resolver ch lp phi truy
vn cc my ch tn min v zone cha m khng phi l zone con. Cc Security-
Aware Name Server cn p dng cc nguyn tc x l c bit x l bn ghi ti
nguyn DS ny v trong mt s tnh hung, Resolver cng c th cn p dng cc
nguyn tc c bit nh v cc my ch tn min ny cho zone cha khi Resolver
ny khng c tp bn ghi ti nguyn NS pha cha. nh v tp bn ghi ti nguyn
NS pha cha, Resolver c th bt u vi tn min chuyn giao, loi b nhn ngoi
cng bn tri v truy vn mt tp bn ghi ti nguyn NS bng tn min . Khi khng
c tp bn ghi ti nguyn NS c tn min , tip theo Resolver loi b nhn cn li
H Hng Ngc L14VT 33

ngoi cng bn tri v th truy vn i vi tn min , lp li qu trnh i ny cho ti

khi tm thy tp bn ghi ti nguyn NS hoc khng cn nhn no.
Xc nh trng thi bo mt ca d liu
Security-Aware Resolver phi c kh nng xc nh liu n c nn ch i mt
tp bn ghi ti nguyn c th c k. Mt cch chnh xc hn, Security-Aware
Resolver phi c kh nng phn bit gia 4 trng hp sau:
- Bo mt: Tp bn ghi ti nguyn m Resolver c kh nng xy dng mt chui
cc bn ghi ti nguyn DNSKEY v DS c k t mt anchor bo mt tin cy n
tp bn ghi ti nguyn ny. Trong trng hp ny, tp bn ghi ti nguyn ny nn c
k v ph thuc vo xc nhn ch k.
- Khng bo mt: Tp bn ghi ti nguyn m Resolver bit rng n khng c
chui cc bn ghi ti nguyn DNSKEY v DS c k t bt k im khi im tin
cy n tp bn ghi ti nguyn ny. iu ny c th xy ra khi tp bn ghi ti nguyn
ch nm trong mt zone khng c k hoc mt zone khng c k con chu.
Trong trng hp ny, tp bn ghi ti nguyn ny c th hoc khng c k nhng
Resolver s khng th kim tra ch k.
- Gi mo: Tp bn ghi ti nguyn m Resolver tin cy rng n c th thit lp
mt chui tin cy nhng n li khng th thc hin iu v ch k khng c xc
nhn v mt l do no hoc v d liu thiu m cc bn ghi ti nguyn DNSSEC c
lin quan ch ra nn c. Trng hp ny c th ch ra mt tn cng nhng cng c th
ch ra mt li cu hnh hoc mt dng li d liu.
- Khng xc nh: Tp bn ghi ti nguyn m Resolver khng th xc nh liu
tp bn ghi ti nguyn ny c nn c k v Resolver khng th c cc bn ghi ti
nguyn DNSSEC cn thit. iu ny c th xy ra khi Security-Aware Resolver khng
th lin lc vi cc Security-Aware Name Server i vi cc zone lin quan.
Trust Anchor c cu hnh
Security-Aware Resolver phi c kh nng c cu hnh vi t nht kha cng
khai tin cy hoc bn ghi ti nguyn DS nn c kh nng c cu hnh vi nhiu
kha cng khai tin cy hoc cc bn ghi ti nguyn DS. V Security-Aware Resolver s
khng c kh nng xc nhn cc ch k khng c mt Trust Anchor c cu hnh
nh vy, Resolver nn c mt c ch chc chn hp l no t c cc kha
ny khi n khi to; v d mt c ch nh vy s l mt dng lu tr khng kh bin
(nh mt a) hoc mt dng ca c ch cu hnh mng ni b tin cy no .
Ch rng cc Trust Anchor cng che y thng tin kha c cp nht theo
mt cch bo mt. Cch thc bo mt ny c th thng qua phng tin vt l, giao
thc trao i kha hoc mt s bin php khc.
Phn hi ca b m
H Hng Ngc L14VT 34

Mt Security-Aware Resolver nn lu b nh m cho mi phn hi nh mt

mc n nguyn cha ton b cu tr li, bao gm c tn min tp bn ghi ti nguyn
v bt k bn ghi ti nguyn DNSSEC c lin kt. Resolver nn loi b ton b mc
n nguyn ny khi c bt k bn ghi ti nguyn cha trong n b ht hn. Trong phn
ln trng hp, ch mc nh m ph hp i vi mc nhp nguyn ny s l bi ba
<QNAME, QTYPE, QCLASS> nhng trong cc trng hp nh dng quy ch mc
nh m ph hp s l bi hai <QNAME, QCLASS>.
L do i vi cc khuyn ngh ny l gia truy vn ban u v ht thi gian d
liu trong nh m, d liu c thm quyn c th thay i (v d, thng qua cp
nht ng)
C 2 tnh hung lin quan:
- Bng cch s dng bn ghi ti nguyn RRSIG, c th suy din rng mt tr li
c ng b t mt k t i din. Security-Aware Recursive Name Server c th
lu tr d liu k t i din ny v s dng n to cc phn hi khng nh i vi
cc truy vn ch khng phi l tn min m tr li gc c nhn u tin.
- Cc bn ghi ti nguyn NSEC nhn c ch ra s khng tn ti ca mt tn
min c th c Security-Aware Resolver s dng li ch ra s khng tn ti ca
bt k tn min trong di tn min n bao trm.
Trong l thuyt, mt Resolver c th s dng cc k t i din hoc cc bn ghi
ti nguyn NSEC to cc phn hi khng nh v ph nh (tng ng) cho ti khi
TTL hoc cc ch k trn cc bn ghi ti nguyn trong truy vn ht thi gian. Tuy
nhin, cc Resolver nn thn trng trnh vic ngn chn d liu c thm quyn mi
hoc vic ng b d liu mi trn chnh n. Cc Resolver theo khuyn ngh ny s c
quan im nht qun hn v khng gian tn min.
X l cc bit CD v AD
Security-Aware Resolver c th thit lp bit CD ca truy vn ch ra rng
Resolver ny nhn trch nhim thc hin bt k thm quyn m chnh sch ni b ca
n yu cu i vi cc tp bn ghi ti nguyn trong tr li ny. Security-Aware
Resolver phi xa bit AD khi xy dng cc bn tin truy vn bo v chng li cc
my ch tn min c nhiu li sao chp cc bit phn mo u mt cch my mc m
chng khng hiu t bn tin truy vn sang bn tin tr li.
Resolver phi khng quan tm n ngha ca cc bit CD v AD trong mt tr
li tr khi tr li ny t c bng cch s dng mt knh c bo mt hoc
Resolver ny c cu hnh mt cch c bit quan tm cc bit phn mo u
bn tin m khng s dng knh c bo mt.
D liu b m BAD
H Hng Ngc L14VT 35

Khi nhiu li xc thc l tm thi, mt s li c th lin tc, nh th chng l do

li qun l gy ra (li k li mt zone, lch xung nhp, ). V vic truy vn li s
khng c ch trong cc trng hp ny, cc Resolver xc thc c th to mt lng lu
lng DNS khng cn thit ng k khi lp li cc truy vn i vi cc tp bn ghi ti
nguyn vi cc li xc thc lin tc ny.
trnh lu lng DNS khng cn thit ny, cc Security-Aware Resolver c
th nh m d liu vi cc ch k khng hp php bng mt s hn ch.
V mt khi nim, vic nh m d liu ny tng t vic nh m m ngoi tr
rng thay vi nh m mt phn hi ph nh hp php, Resolver ny ang nh m s
kin mt tr li c th xc thc khng thnh cng. Tiu chun ny xem vic nh m
d liu c cc ch k khng hp php l mt BAD cache.
Cc Resolver thc hin mt BAD cache phi thc hin cc bc trnh nh
m khi tr thnh mt thit b tng cng hu hiu ca tn cng t chi dch v, c
th l:
Khi cc tp bn ghi ti nguyn xc thc khng thnh cng khng c cc TTL
tin cy, vic thc hin ny phi n nh mt TTL. TTL ny nn nh gim thiu nh
hng ca nh m cc kt qu ca mt tn cng.
trnh nh m mt li xc thc tm thi (n c th l kt qu ca mt tn
cng), cc Resolver nn theo du cc truy vn gy ra cc li xc thc v ch nn tr li
t BAD cache sau khi s lt tr li cc truy vn i vi <QNAME, QTYPE,
QCLASS> c th xc thc khng thnh cng vt qu mt gi tr ngng.
Cc Resolver khng c tr v cc tp bn ghi ti nguyn t BAD cache tr khi
Resolver ny khng c yu cu xc nhn cc ch k ca cc tp bn ghi ti
nguyn trong cu hi
Cc CNAME c ng b
Mt Security-Aware Resolver xc nhn phi x l ch k ca mt bn ghi ti
nguyn DNAME c k hp php cng nh bao trm cc bn ghi ti nguyn
CNAME cha c k c th c ng b t bn ghi ti nguyn, t nht mc
khng hy b ch c mt bn tin tr li v n cha cc bn ghi ti nguyn CNAME
nh vy. Resolver ny c th gi li cc bn ghi ti nguyn CNAME ny trong nh
m ca n hoc trong cc tr li m n truyn tr li nhng n khng c yu cu
lm vy.
Cc Stub Resolver
Security-Aware Stub Resolver phi h tr cc loi bn ghi ti nguyn DNSSEC t
nht mc khng x l nhm cc tr li ch v chng cha cc bn ghi ti nguyn
DNSSEC.
X l bit DO
H Hng Ngc L14VT 36

Non-validating security-aware stub resolver c th cha cc bn ghi ti nguyn

DNSSEC c Security-Aware Recursive Name Server tr v nh l d liu m Stub
Resolver ny truyn li cho ng dng lin quan n n nhng c khng c yu cu
lm vy. Non-validating stub resolver tm cch lm ny s cn thit lp bit DO nhn
cc bn ghi ti nguyn DNSSEC t my ch tn min quy ny.
Validating Security-Aware Stub Resolver phi thit lp bit DO v nu khng n
s khng nhn cc bn ghi ti nguyn DNSSEC m n cn thc hin xc nhn ch k.
X l bit CD
Non-validating security-aware stub resolver khng nn thit lp bit CD khi gi
cc truy vn tr khi n c lp ng dng yu cu, nh theo nh ngha, Non-
Validating Stub Resolver ph thuc vo Security-Aware Recursive Name Server thc
hin xc thc thay cho n.
Validating Security-Aware Stub Resolver nn thit lp bit CD v nu khng
Security-Aware Recursive Name Server s tr li truy vn bng cch s dng chnh
sch ni b ca my ch tn min ny, chnh sch ny c th ngn cn Stub Resolver
ny nhn d liu c th c chp nhn theo chnh sch ni b ca Stub Resolver ny.
X l bit AD
Non-validating security-aware stub resolver c th la chn kim tra vic thit
lp ca bit AD trong cc bn tin phn hi m n nhn xc nh liu Security-Aware
Recursive Name Server gi cc xc nhn phn hi c kim tra m ha d liu
trong cc phn tr li v thm quyn ca bn tin phn hi. Tuy nhin, ch rng, cc
phn hi c Security-Aware Stub Resolver nhn ph thuc ch yu vo chnh sch
ni b ca Security-Aware Recursive Name Server. Do , c th c t gi tr thc t
trong vic kim tra trng thi ca bit AD ngoi tr c th tr gip g ri. Trong bt k
trng hp no, Security-Aware Stub Resolver khng c t bt k tin cy no vo
xc nhn ch k c thc hin thay th cho n tr khi Security-Aware Stub Resolver
ny c c d liu ny t Security-Aware Recursive Name Server thng qua mt
knh bo mt.
Validating Security-Aware Stub Resolver khng nn kim tra vic thit lp bit
AD trong cc bn tin phn hi nh theo nh ngha, Stub Resolver thc hin xc nhn
ch k ca chnh n m khng quan tm n vic thit lp ca bit AD.
2.3.4. H tr xc thc DNS
s dng cc bn ghi ti nguyn DNSSEC xc thc, Security-Aware
Resolver yu cu bit c cu hnh ca t nht mt bn ghi ti nguyn DNSKEY hoc
DS c xc thc. Qu trnh c c v xc thc Trust Anchor khi u ny t c
thng qua mt c ch bn ngoi no . V d, Resolver c th s dng vic trao i
c xc thc ngoi tuyn no c c mt DNSKEY ca zone hoc c c
H Hng Ngc L14VT 37

mt bn ghi ti nguyn DS nhn bit v xc thc mt bn ghi ti nguyn DNSKEY

ca zone.
Mt bn ghi ti nguyn DNSKEY khi u c th c s dng xc thc tp bn
ghi ti nguyn DNSKEY ca zone apex ca zone. xc thc tp bn ghi ti nguyn
DNSKEY ca zone apex bng cch s dng mt kha khi u, Resolver ny phi:
Kim tra xem bn ghi ti nguyn DNSKEY khi to xut hin trong tp bn ghi
ti nguyn DNSKEY ca zone apex v xem bn ghi ti nguyn DNSKEY c Zone
KEY Flag (DNSKEY RDATA bit 7) c thit lp.
Kim tra xem c bn ghi ti nguyn RRSIG no bao trm tp bn ghi ti
nguyn DNSKEY ca zone apex v xem kt hp ca bn ghi ti nguyn RRSIG v
bn ghi ti nguyn DNSKEY khi to ny xc thc tp bn ghi ti nguyn DNSKEY
ny.
2.3.4.1. Qu trnh xc nhn tnh hp l trong DNSSEC
Trong DNSSEC, vic xc nhn tnh hp l ca cc hi p DNS c thc hin
thng qua cc ch k s. Cc ch k s ny c cha trong cc bn ghi ti nguyn
DNSSEC, c to ra v b sung vo zone khi k zone.
Hnh 2.2 Ch k s cho cc bn ghi ti nguyn

Mt qu trnh xc nhn tnh hp l cc hi p DNS s dng ch k s nh sau:
1) Khi Client gi truy vn tm kim a ch www.example.com ti Resolver.
2) Resolver s truy vn n cc Root My ch hi tn min example.com v
Root My ch s hng dn Resolvertruy vn n my ch tn min qun l trc tip
ca tn min example.com cn tm.
3) Sau , Resolver truy vn n my ch tn min .com (zone cha) hi
example.com, my ch tn min .com s hng dn Resolvertruy vn n thng My
ch tn min chu trch nhim tn min example.com
4) Resolver tip tc truy vn n my ch tn min example.com hi a ch
www.example.com.
H Hng Ngc L14VT 38

5) Lc ny,my ch tn min example.com s kim tra trong zone v thy c bn

ghi www, my ch tn min example.com s tr li li Resolver bng gi tin hi p
DNS bao gm a ch IP km theo DNSKEY v ch k s RRSIG.
6) Sau khi Resolver nhn c gi tin hi p DNS, lc ny n cn phi kim tra
xem d liu hi p DNS c phi ng domy ch tn min example.com gi hay
khng bng cch truy vn ln zone cha (tc my ch tn min .com).
7) My ch tn min .com s tm kim trong zone file .com v gi DS (bn ghi
ch k chuyn giao) v cho Resolver.
8) Sau khi nhn c DS, Resolver thc hin kim tra tnh xc thc v ton vn
thng qua b kim tra tnh hp l, ly kha cng khai (t DNSKEY trong gi tin hi
p DNS) em i Hash vi DS. V ra mt gi tr Hash X.Tip tc, Resolver ly kha
cng khai t DNSKEY gii m ch k s RRSIG c mt gi tr Hash Y.
H Hng Ngc L14VT 39

9) em so snh gi tr Hash X vi Hash Y xem c bng nhau khng, nu bng

nhau th d liu l chnh xc. Nu khng bng nhau, Resolver s gi v bn tin
SERVFAIL.
10) Sau khi xc nh gi tr Hash bng nhau, Resolver s xt cc thng tin trong
RRSIG (bao gm thi gian RRSIG, Time To Live) li mt ln na vi my ch Root.
11) Sau khi xc minh, lc ny d liu hon ton chnh xc, my ch Root
cho php Resolver gi d liu v cho Client truy vn.
2.3.4.2. C ch xc thc t chi s tn ti trong DNSSEC
C ch xc thc t chi s tn ti cho php mt Resolver xc nhn hp l mt
tn min c th no khng tn ti. C ch cng s dng thng bo rng mt tn
min tn ti nhng khng c kiu bn ghi ti nguyn c th m i tng ang tm
kim. Khi mt hi p DNSSEC ph nh (gm hi p NXDOMAIN v NODATA)
c khai bo, mt my ch tn thng bao gm 2 bn ghi NSEC. i vi trng hp
s dng NSEC3 (s dng hm bm) s c 3 bn ghi c s dng trong hi p .
V t chi s tn ti c xc thc s s dng phng thc m ha k cc hi p
ph nh .
T chi s tn ti
c th hiu mt cch c bn v c ch t chi s tn ti, mt v d s c
a ra trong DNS nh sau:
H Hng Ngc L14VT 40

- Mt zone DNS nh vi 3 tn min ln lt example.org, a.example.org v

d.example.org.
- Bn Type bn ghi gm: SOA, NS, A v TXT, trong bn ghi SOA c vit
thu gn li.
y l mt zone khng k. Nu mt Resolver gi truy vn my ch qun l zone

ny v tn min a.example.org vi Type TXT, th n s gi truy vn c dng nh
sau: a.example.org TXT.
Khi , my ch s tm kim trong d liu zone ca n v to ra hi p tr li.
Trong trng hp ny, y l mt cu tr li khng nh rng: C, tn min c tn ti
v y l d liu.
Thng bo status: NOERROR cho thy khng pht sinh li khi tm d liu v
tr li, id c gi tr nguyn cho thy hi p ph hp vi truy vn. Trong phn
ANSWER, c ni dung thng tin cho truy vn. Phn AUTHORITY gi cc tn ca
my ch tn min c thng tin lin quan ti zone example.org.
Trong trng hp, Resolver truy vn v b.example.org TXT, n s nhn c
hi p l tn min cn tm khng tn ti:
V trong trng hp ny, trong hi p khng c phn ANSWER, trng thi

c thit lp l NXDOMAIN. T , Resolver kt lun l b.example.org khng tn
ti. Phn AUTHORITY gi bn ghi SOA ca example.org Resolver c th s
dng nhm lu vo hi p ph nh. Khi , ta c t chi s tn ti.
H Hng Ngc L14VT 41

Mt trng hp na, l tn min c th tn ti nhng Type bn ghi tm kim

c th khng tn ti. Trng hp biu din s khng tn ti c gi l hi p
NODATA. Khi mt Resolver hi my ch tn min v a.example.org AAAA, s
nhn c hi p:
Trng thi status: NOERROR cho bit tn min a.axample.org tn ti nhng

trong hi p khng cha phn ANSWER. y l mt hi p NODATA, c cht khc
bit so vi hi p NXDOMAIN. Khi , Resolver s kt lun rng tn min
a.example.org tn ti nhng khng c Type bn ghi AAAA.
Xc thc t chi s tn ti
C th thy, trong DNS, my ch tn min c th t do tr li v thc hin k, tt
nhin vn m bo yu cu k trc, gi sau. Tuy nhin, khi pht trin theo
DNSSEC, cn thit phi c thm phn xc thc t chi s tn ti nhm chng thc v
ton vn cho d liu trao i. Mt bn ghi bo mt k tip NSEC c gii thiu trong
DNSSEC.
So vi DNS, tn cc Type trong DNSSEC c i sang tn mi: SIG c i
thnh RRSSIG, KEY c i thnh DNSKEY. Bn ghi NSEC c s dng thng
tin cho Resolver bit cc bn ghi c tn min nm trong khong trng gia cc tn
min hin din l khng tn ti trong zone, ng thi cho bit Type ca bn ghi ti
nguyn hin din trong mt tn min hin thi.
hiu r hn v cch thc lm vic ca NSEC, mt zone example.org c
to ra v sp xp theo th t chnh tc nh sau:
Ba bn ghi NSEC c b sung cho mi tn min v mi NSEC s bao hm

khong nm gia 2 tn min:
- NSEC th nht (1) bao hm khong nm gia tn min example.org v
a.example.org.
H Hng Ngc L14VT 42

- NSEC th hai (2) bao hm khong nm gia tn min a.example.org v

d.example.org.
- NSEC th ba (3) bao hm khong nm gia tn min d.example.org v
example.org.
Zone c to ra trong v d l mt zone k trong my ch tn min, c phn
ni dung nh sau:
Trong zone ny, cc bn ghi k ti nguyn RRSIG v bn ghi NSEC c b

sung. Ni dung cc bn ghi SOA, DNSKEY v RRSIG c vit ngn gn li.
Nu mt Resolver nhn thc c DNSSEC truy vn tn min b.example.org,
n s nhn li bn tin vi trng thi status: NXDOMAIN, tc l tn min khng tn
ti. ng thi, m bo vic Resolver nhn bit tn min khng tn ti mt cch an
ton th phi c mt bn ghi NSEC k bao hm khng gian tn min
b.example.org. Sau , khi ch k bn ghi NSEC c xc thc hp l, th tn min
b.example.org mi c chng thc l khng tn ti. Khi , ta c xc thc t chi
s tn ti.
Trng hp b tn cng gi mo DNS, k tn cng c th gi li hi p
NXDOMAIN khi ta truy vn tm kim tn min c.example.org. Tuy nhin, iu
khng em n bt k tn hi no do c chng thc rng hi p ng ph hp
vi truy vn.
Cc bn ghi NSEC cng c s dng trong cc hi p NODATA. Trong
trng hp ny, n lin quan n Type bitmap khi m Type bitmap trong bn ghi
NSEC cho bit Type ca tn min. Nu nhn vo bn ghi NSEC ca tn min
H Hng Ngc L14VT 43

a.example.org, c thy cc Type gm: A, TXT, NSEC v RRSIG. Vy, iu cho

thy rng i vi tn min a, phi c mt bn ghi A, TXT, NSEC v RRSIG trong
zone.
Mt Resolver c th bit tn min tn ti nhng Type cha chc tn ti. V d,
khi mt Resolver truy vn a.example.org AAAA, n s nhn c hi p:
Kim tra phn AUTHORITY c th kt lun:

- Tn min a.example.org tn ti (do bn ghi NSEC i km vi tn min).
- Type AAAA khng tn ti do khng c trong danh sch Type bitmap ca
NSEC.
Vic s dng hm bm gii quyt c vn zone walking ca NSEC. Tuy
nhin vn cn mt vn na cn gii quyt, l chi ph cao khi bo mt mt
chuyn giao ca mt zone khng an ton. Cch gii quyt l s dng Opt-Out.
Khi s dng Opt-Out, cc tn min l mt chuyn giao khng an ton v khng
yu cu mt bn ghi NSEC3. Thay vo , i vi mi chuyn giao khng an ton,
kch thc zone c th c gim vi t nht hai bn ghi: mt bn ghi NSEC3 v mt
bn ghi RRSIG tng ng (so vi zone k y m khng s dng Opt-Out).
Thut ton hm bm
NSEC3 s dng m ha hm bm cho tt c cc tn min, bao gm c tn min
gc. Thut ton c s dng cho m ha hm bm l thut ton SHA1, lm tng tnh
bo mt v kh cho cc i tng tn cng.
Trong tiu chun ny l tiu chun b sung 2 nh danh mi (ch khng phi 2
thut ton mi) cho 2 thut ton ang s dng: Thut ton 6, DS-NSEC3-SHA1 tng
ng thut ton 3, DSA. Thut ton 7, RSASHA1-NSEC3-SHA1 tng ng thut ton
5, RSASHA1. V cc nh danh thut ton mi c s dng cng vi thut ton hm
bm NSEC3 SHA1.
H Hng Ngc L14VT 44

Vic tnh ton m ha bm s dng ba trng NSEC3 RDATA l: Hash

Algorithm, Salt v Iterations.
Gi H(x) l hm bm ca x bng cch s dng trng Hash Algorithm c bn
ghi ti nguyn NSEC3 la chn, k l s ln lp v || biu th s kt ni. Khi :
IH(salt, x, 0) = H(x || salt),
IH(salt, x, k) = H(IH(salt, x, k-1) || salt), nu k > 0
M bm ca mt tn min c tnh ton nh sau:
IH(salt, tn min, iteration)
Trong tn min dng chnh tc c nh ngha nh sau:
nh dng ca tn min:
Tn min c m rng hon ton (khng ph thuc tn DNS) v ng qui
nh.
Tt c ch Hoa US-ASCII c thay bng ch thng US-ASCII.
Nu tn min l mt tn di dng k t i din, th trong nh dng khng
m rng gc, tn min bao gm nhn * (khng thay th k t i din).
K t i din
Mt bn ghi k t i din l mt bn ghi nm trong mt zone, c s dng khi
c cc yu cu phi hp vi cc tn min khng tn ti. Bn ghi k t i din s dng
du * pha ngoi cng bn tri ca mt tn min.
V d, *.example.org. l mt bn ghi k t i din.
T chi s tn ti thng trong cc hi p ph nh. Tuy nhin, t chi s tn
ti cng xut hin trong hi p khng nh, trong , phn ANSWER ca hi p l
khng rng. iu ny thc hin c l nh c k t i din.
H Hng Ngc L14VT 45

Ta c mt zone cha mt bn ghi k t i din nh trn. Khi mt Resolver truy

vn tn min z.example.org TXT, my ch tn min s tr li vi mt k t i din
m rng thay cho NXDOMAIN:
Khi xt trng hp trn trong DNSSEC, hi p t my ch tn min s nh sau:
RRSIG trong bn ghi z.example.org ch cho bit mt k t i din c cu

hnh. Thc cht, k ca tn min z.example.org l khng tn ti cng nh khng
c to ra. Thay vo , n ch cho bit cho tn min k t i din *.example.org
c cu hnh v n i din cho tn min z.example.org.
2.4. Kt lun
Chng 2 l cc nghin cu v DNSSEC. Bao gm M hnh trin khai, cc bn
ghi ti nguyn v cc giao thc m rng trong DNSSEC. C th:
V cc bn ghi ti nguyn DNSSEC:
Bn ghi DNSKEY trong mt Zone.
Bn ghi RRSIG trong mt Zone.
Bn ghi chuyn giao DS trong mt Zone.
Bn ghi NSEC trong mt Zone.
Bn ghi NSEC3 trong mt Zone.
Nhn xt:
H Hng Ngc L14VT 46

i vi bn ghi ti nguyn CNAME c nhng thay i sau: Khi mt tp bn

ghi ti nguyn CNAME c tn min trong mt Signed Zone, phi c cc tp bn ghi
ti nguyn RRSIG v NSEC tng ng tn min gii quyt im xung t
trong nh ngha gc ca bn in CNAME. ng thi cho php mt tp bn ghi ti
nguyn KEY tn min cp nht bo mt ng. Cc loi khc khng c c
tn min .
i vi bn ghi ti nguyn DNSSEC xut hin zone cut: DNSSEC a ra hai
loi bn ghi ti nguyn mi thng xut hin pha cha ca mt ct. pha cha ca
zone cut (tc l im chuyn giao), yu cu cc bn ghi ti nguyn NSEC tn min
ch. Mt bn ghi ti nguyn DS cng c th c khi zone c chuyn giao ny c
k v c gng c mt chui xc thc i vi zone cha. iu ny l mt ngoi l i
vi tiu chun DNS gc, n quy nh rng ch cc tp bn ghi ti nguyn NS c th
xut hin pha cha ca zone cut.
Cc phn m rng trong DNSSEC gm c:
My ch tn min thm quyn.
My ch tn min quy.
B phn gii.
H tr xc thc DNS.
H Hng Ngc L14VT 47

n tt nghip i hc Chng 3: ng dng DNSSEC trong m bo an ton
h thng tn min (DNS)
CHNG 3: NG DNG DNSSEC TRONG M BO AN

TON H THNG TN MIN (DNS)
3.1. Cc phng thc tn cng mng ph bin
H thng DNS thc cht l mt tp hp h thng phn cng v cc cng c phn
mm phc v cho nhim v phn gii tn min.
Ngoi cc h thng phn cng v cc cng c phn mm chy di dng dch v
th cn c cc giao thc DNS (Bao gm nh dng gi tin, giao thc truyn, ) c
th tin hnh trao i thng tin gia my client vi cc my ch DNS v gia cc my
ch DNS vi nhau.
Chnh v DNS hi t y cc h s: Phn cng, phn mm v giao thc nh
trnh by trn nn h thng DNS lun lun tim n cc l hng m hacker c th
s dng khai thc v lm ch h thng, t gy ra cc nh hng ti ngi dng.
3.1.1. DNS spoofing (DNS cache poisoning)
y l mt phng php tn cng my tnh nh m d liu c thm vo h
thng cache ca cc DNS my ch. T , cc a ch IP sai (thng l cc a ch IP
do k tn cng ch nh) c tr v cho cc truy vn tn min nhm chuyn hng
ngi dng t mt website ny sang mt website khc.
khai thc theo hng ny, k tn cng li dng l hng ca phn mm DNS,
do cc hi p DNS khng c xc nhn m bo chng c gi t cc my ch
c xc thc, cc bn ghi khng ng n s c cache li v phc v cho cc user
khc.
Hnh 3.1 S tn cng DNS cache poisoning

V d: K tn cng thay th a ch IP cho mt bn ghi DNS trn DNS my ch
thnh a ch IP ca my ch m k tn cng ang c quyn iu khin. Trn my ch
H Hng Ngc L14VT 49

h thng tn min (DNS)
ny, k tn cng c trin khai mt s phn mm m c khi ngi dng b chuyn

qua s d dng b nhim m c.
3.1.2. Tn cng khuch i d liu DNS (Amplification attack)
Hnh 3.2 S tn cng khuch i d liu DNS

y l mt trong nhng phng php tn cng c s dng lm nghn lu
lng s dng dch v, thuc vo lp tn cng nh x.
C hai yu t c bn cho cch thc tn cng ny:
- a ch tn cng c che giu nh nh x sang mt bn th ba.
- Lu lng m ngi b hi nhn c s ln hn lu lng gi t k tn cng.
3.1.3. Gi mo my ch DNS (Main in the middle)
y l cch mt s phn mm qung co hay trojan thng hay thc hin. u
tin, chng dng ln cc DNS my ch, ging vi chc nng DNS my ch thng
thng. Tuy nhin, cc DNS my ch ny c kh nng iu khin c thm, bt
hay chnh sa cc bn ghi DNS nhm chuyn hng ngi dng ti cc a ch IP
khng chnh xc vi mc ch: gia tng qung co, ci m c, thay i kt qu tm
kim
H Hng Ngc L14VT 50

h thng tn min (DNS)
Hnh 3.3 S tn cng gi mo my ch DNS

thc hin hnh vi ny, cc phn mm c hi sau khi c ci vo my tnh
ngi dng, chng s tm cch thay i cu hnh DNS ca ngi dng thnh a ch
DNS ca phn mm thit lp t trc. Qua , cc truy vn DNS ca ngi dng
thay v i qua cc DNS my ch ca ISP hoc do ngi dng thit lp th li i qua cc
DNS my ch ca k tn cng.
Mt bin th ca hnh thc ny chnh l vic cc phn mm c hi thay i file
host (Trn h iu hnh Windows) ch nh a ch IP cho mt s website m k tn
cng mong mun.
Khi tn cng h thng DNS, k tn cng mong mun thc hin mt s hnh vi:
- La ngi s dng truy cp ti cc website gi mo do k tn cng lp ra
thc hin cc hnh vi la o, n cp mt khu, thng tin ng nhp, ci cm cc phn
mm c hi. Cc thng tin ny c th v cng quan trng: ti khon ngn hng, ti
khon qun tr,
- Tng lu lng cho website: k tn cng chuyn hng ngi dng khi h truy
cp cc website ph bin v a ch website m k tn cng mun tng lu lng. Mi
khi ngi dng truy cp mt trong cc website kia th tr v a ch IP website m k
tn cng mong mun, qua lm tng lu lng cho website.
- Gin on dch v: mc ch ny nhm ngn chn ngi dng s dng mt
dch v ca mt nh cung cp no .
3.2. Kch bn tn cng DNS
Bo mt an ton trong DNS l ht sc cn thit. Microsoft l mt trong nhng
nh cung cp dch v nhn nhn vn v tin hnh trin khai giao thc DNSSEC
gip tng tnh bo mt DNS.
C th Microsoft xy dng kch bn v quy trnh m phng v th nghim
DNSSEC nh sau:
H Hng Ngc L14VT 51

h thng tn min (DNS)
i vi phn trnh din DNSSEC trong phng th nghim th nghim, ta c th

s dng DNS1 thay v client1 thc hin cc truy vn DNS client, nu my tnh
client1 khng c sn. Nu my tnh DC2 l khng c sn, v ta phi b qua mt s th
tc di y.
Mt cuc th nghim chc nng ca DNSSEC trn Windows Server 2012 bao
gm cc th tc sau y:
(1). Truy vn khu vc cha c ng nhp m ko cn xc nhn DNSSEC theo yu
cu.
(2). ng nhp vng d liu trn DC1 v phn loi anchors (mu neo) tin cy.
(3). Truy vn mt khu vc ng nhp m khng cn xc nhn DNSSEC theo yu
cu.
(4). Truy vn mt khu vc ng nhp cn xc nhn DNSSEC theo yu cu.
(5). Khng ng k vng d liu sau ng nhp li vng vi nhng thng s ty
chnh.
(6). Chng minh (gii thch, th hin) xc nhn tht bi.
(7). Chng minh th mc hot ng ca DNSSEC ng nhp bn ghi ti nguyn.
(8). Chuyn vai tr Master Key cho sec.contoso.com n DC2.
C th
(1). Truy vn khu vc cha c ng nhp m ko cn xc nhn DNSSEC theo
yu cu.
u tin, s dng resolve-dnsname truy vn mt vng ko ng nhp khi xc
nhn ko c yu cu.
- truy vn 1 vng d liu ko ng nhp m ko cn xc nhn DNSSEC theo
yu cu.
Trn Client1, chn Windows PowerShell trn thanh tc v, g cd\ v nhn
ENTER.
Bt u chp 1 Network Monitor nu mun. Dng chp sau khi ban hnh lnh
sau, v sau lu li s dng tn l Capture1.
G lnh sau, v sau nhn ENTER:
H Hng Ngc L14VT 52

h thng tn min (DNS)
Ri khi mn hnh Windows PowerShell m cc th tc sau.

- xc minh cc kt ni t xa n dc1.sec.contoso.com
G cu lnh sau v nhn ENTER:
Nhp mt khu cho ti khon user1 v nhn OK.

Khi bn c nhc nh rng c mt vn vi an ninh ca my tnh t xa,
chn YES.
Xc minh rng bn c th kt ni thnh cng vi dc1.sec.contoso.com, v sau
ng phin t xa.
(2). ng nhp vng d liu trn DC1 v phn phi mu neo (anchors) tin cy.
Tip theo, ng k vng sec.contoso.com v phn phi anchor tin cy cho vng
d liu. Vic phn chia anchor tin cy l th cng cho my ch DNS m ko chy trn
vng ca ngi kim sot, nh l DNS1. Phn phi cc anchor tin cy t ng c th
c kch hot cho my ch DNS tch hp Active Directory nh DC2.
- ng k mt zone trn DC1.
Trong bng iu khin qun l DNS trn DC1, di chuyn n Forward Lookup
Zones > sec.contoso.com.
Nhp chut phi vo sec.contoso.com tr ti DNSSECm v sau nhp vo
Sign the Zone.
H Hng Ngc L14VT 53

h thng tn min (DNS)
Trong Zone Signing Wizard bm vo Next, v sau chn Use recommended

ci t ng nhp khu vc.
Bm vo Next hai ln, xc nhn rng xone c ng k thnh cng s c

hin th, v sau nhp vo Finish.
Lm mi giao din iu khin trnh qun l DNS v xc minh rng mt biu
tng mi s c hin th cho vng sec.contoso.com, ch ra rng n hin ang
c ng k vi DNSSEC.
Nhp vo khu vc sec.contoso.com v xem xt cc bn ghi ti
nguyn mi c mt, bao gm c h s DNSKEY, RRSIG v NSEC3.
H Hng Ngc L14VT 54

h thng tn min (DNS)
Ri giao din iu khin trnh qun l DNS m.

- phn phi mt anchor tin tng n DNS1
Trn DC1, bm Windows Explorer trn thanh tc v.
iu hng n C:\Windows\System32, bm chut phi vo th mc dns,
chuyn n Share with, v sau nhp vo Advanced sharing.
Trong hp thoi dns Properties nhp vo Advanced Sharing, chn chia s th
mc hp kim ny, kim chng Share name l dns v sau nhp vo OK.
H Hng Ngc L14VT 55

h thng tn min (DNS)
Nhp vo Close v sau ng Windows Explorer.

Trn DNS1, trong cy bng iu khin qun l DNS, iu hng n th mc
Trust Points.
Nhp chut phi vo Trust Points, tr vo Import, v sau nhp vo
DNSKEY.
Trong hp thoi Import DNSKEY, nhp \\dc1\dns\keyset-sec.contoso.com v
sau nhp vo OK.
- xc minh nhng Anchor tin cy
Trong cy giao din iu khin, iu hng n Trust Points > com >
contsoso > sec v xc minh rng chuyn nhp thnh cng.
Trn bt k my tnh no, bm vo Windows PowerShell, g cc lnh sau
y v sau nhn ENTER:
Xc minh rng hai anchor tin cy c hin th.

Trn DNS1, bm chut phi vo Windows PowerShell v sau nhp
vo Run as Administrator.
G cu lnh sau v nhn Enter:
Xc minh rng hai anchor tin cy c hin th.
H Hng Ngc L14VT 56

h thng tn min (DNS)
- Xa v ti phn phi anchor tin cy trn Windows PowerShell

Trn DNS1, trong ca s Administrator Windows PowerShell, g lnh di y
v nhn ENTER hai ln.
G cu lnh sau v nhn Enter
(Xc minh rng Khng th lit k cc anchor tin cy" s c hin th.)
G cu lnh sau v nhn Enter hai ln.
G cu lnh sau v nhn Enter.
G cu lnh sau v nhn Enter

get-dnsserverresourcerecord zonename sec.contoso.com rrtype dnskey
computername dc1 | %{ $_.recorddata
get-dnsserverresourcerecord zonename sec.contoso.com rrtype dnskey
computername dc1 | %{ $_.recorddata
Xc minh rng hai anchor tin cy mt ln na c hin th.
- phn phi achor tin cy nDC2

Trn DC1, trong cy giao din iu khin qun l DNS, di chuyn v
To Forward Lookup Zones > sec.contoso.com.
H Hng Ngc L14VT 57

h thng tn min (DNS)
Nhp chut phi vo sec.contoso.com, tr ti DNSSEC, v sau nhp vo

Properties.
Nhp vo Trust Anchor
Chn Enable the distribution of trust anchors for this zone sau nhn OK.
Khi bn c nhc xc nhn thay i vng, bm Yes
Khi c nhc xc nhn thay i vng, bm YES.
Khi c nhc rng vic nhp cu hnh thnh cng, bm vo OK.
Trn DC2, lm mi giao din trong trnh qun l DNS v xc nhn rng anchor
tin cy cho sec.contoso.com ang c mt.
(3). Truy vn mt vng c ng k m khng cn xc nhn ca DNSSEC:
B sung thng tin lin quan DNSSEC c hin th cho cc h s ti nguyn
k kt. So snh kt qu truy vn cho dc1.contoso.com truy vn kt qu cho
dc1.sec.contoso.com nu mun.
- Truy vn mt vng c ng k m khng cn xc nhn ca DNSSEC.
Bt u chp mt Network Monitor nu mun. Dng chp sau khi a ra lnh
v sau lu li di tn Capture2.
Trn Client1, ti mn hnh Windows PowerShell g lnh sau y v sau
nhn Enter.
Mn hnh hin th:
H Hng Ngc L14VT 58

h thng tn min (DNS)
xc minh rng DNSSEC hin ti khng c yu cu, g lnh sau v nhn

ENTER:
Xc nhn rng khng c chnh sch NRPT cho namespace sec.contoso hin
ang p dng cho cc my client (my tnh ca khch hng).
Ri khi mn hnh Windows PowerShell m.
(4). Truy vn mt vng c ng k vi chng nhn DNSSEC cn:
The Name Resolution Policy Table (NRPT) c s dng yu cu xc nhn
DNSSEC. NRPT c th c cu hnh trong Group Policy cho mt my tnh duy nht,
hoc Group Policy chnh cho mt s hoc tt c cc my tnh trong min. Quy trnh
sau s dng tn min Group Policy.
- Yu cu DNSSEC xc nhn c thc hin:
Trn DC1, trn thanh cng c qun l my ch, nhn Tools, v sau nhp vo
Group Policy Managenment.
Trong bng cy iu khin Group Policy, di Domains > contoso.com >
Group Policy Objects, v nhp chut phi vo Defaul Domain Policy, vo
chn Edit.
Trong bng cy iu khin qun l Group Policy, iu hng n Computer
Configuration > Policies > Windows Settings > Name Resolution Policy.
Trong ca s chi tit, di Create Rules v l mt phn ca namespace
khng p dng quy tc ny. Chn Suffix t danh sch th xung v nhp
sec.contoso.com bn cnh Suffix.
Trn tab DNSSEC, chn kch hot DNSSEC trong quy tc ny trong hp
kim tra v sau theo Validation chn Yu cu khch hng DNS kim
tra xem tn v a ch d liu c xc nhn bi cc hp kim my ch
DNS.
gc di bn phi, nhp vo Create v sau xc nhn rng mt quy tc cho
sec.contoso.com c b sung trong phn Name Resolution Policy.
Bm Apply, sau ng Group Policy Management Editor (cc trnh son
tho chnh sch Nhm qun l)
H Hng Ngc L14VT 59

h thng tn min (DNS)
DC1, g cc lnh sau du nhc Windows PowerShell, v sau nhn ENTER.
Xc minh rng my tnh v ngi dng chnh sch thng tin cp nht thnh
cng, v gi tr ca DnsSecValidationRequires l ng cho nhng namespace
ca sec.contoso.com.
Lp li cc bn Group Policy (Cp Nht chnh sch Nhm) (Gpupdate/force) v
xc minh NRPT chnh sch v client1.
- Truy vn vng c ng k vi DNSSEC xc nhn yu cu

Bt u chp mn hnh mng nu mun. Ngng chp sau khi pht hnh cc
lnh sau y, v sau lu chp bng cch s dng tn: Capture3.
H Hng Ngc L14VT 60

h thng tn min (DNS)
client1, ti du nhc Windows PowerShell, g cc lnh sau y v sau

nhn ENTER.
Xc nhn rng cc kt qu tng t c tr v nh trc y trc khi xc

nhn c yu cu. Bi v mt anchor tin tng c gi tr c mt trn DNS1,
truy vn thnh cng ngay c khi xc nhn c yu cu.
Truy vn DNSSEC records trong vng sec.contoso.com.zone
Trc khi b ng k v ti ng k khu vc, a ra mt s truy vn cho bn ghi
DNSSEC. Nhng loi truy vn ny c th hu ch khi gii p thc mc DNSSEC.
- truy vn DNSSEC records khu vc sec.contoso.com
nhn ENTER.

nhn ENTER.
(5) B ng k khu vc v sau ti ng vng vi ty chnh cc thng s

DNSSEC k s c g b t vng sec.contoso.com v sau khu vc s c
ti k hp ng bng cch s dng ty chnh cc thng s DNSSEC.
- b ng k cc khu
Trn DC1, trong cy bng iu khin qun l DNS, iu hng n Forward
Lookup Zones > sec.contoso.com
Nhp chut phi chn sec.contoso.com, tr n DNSSEC, v sau chn
Unsign the Zone
Trong wizard ca Unsign chn Next.
Kim chng rng vng c b nh du thnh cng s c hin
th, v sau nhp vo Finish.
Lm mi giao din trong trnh qun l DNS v xc minh rng vng
sec.contoso.com khng cn cha DNSSEC signed records, v biu tng bn
cnh khu vc ch ra n khng c ng k.
H Hng Ngc L14VT 61

h thng tn min (DNS)
- Ti ng k vng vi ty chnh cc thng s

Ti DC1, nhn chut phi vo sec.contoso.com, chn n DNSSEC, v sau
chn Sign the Zone.
Ti vng Zone Signing Wizard, nhp vo Next.
Ty chnh vng ng nhp tham s c chn theo mc nh. Bm vo Next.
Trn trang Key Master, DNS server DC1 l mt kha quan trng c chn t
mc nh, v vng ng k ang c thc hin trn DC1.
Nu bn cu hnh DC2 trong phng th nghim th nghim ny, xem xt ty
chn c sn khi Select another primary server as the Key Master. Khng chn ty
chn ny, nhng xc minh rng dc2.contoso.com ny cng c sn nh l mt kha ch
th cho vng ny. Khi bn c cnh bo rng tt c cc my ch y quyn c kh
nng ng nhp trc tuyn DNSSEC s c np, bm YES.
H Hng Ngc L14VT 62

h thng tn min (DNS)
m bo rng DC1 la chn lm ch quan trng v sau nhp vo Next hai

ln.
Trong cc phm Key Signing (KSK), trang, bm hin KSK (vi phm di
2048), v sau nhn vo Remove.
thm mt KSK, bm vo Add
Trong hp thoi mi New Key Signing Key (KSK), di Key Ptoperties, hy
nhp vo phn th xung bn cnh cc Cryptographic algorithm v la chn
RSA/SHA 512.
Theo Key Properties, nhp vo phn th xung bn cnh Key length (Bits) v
la chn 4096 ri sau nhp vo OK.
H Hng Ngc L14VT 63

h thng tn min (DNS)
Nhp vo NEXT cho n khi hin thng bo You have successfully

configured the following parameters to sign the zone trn mn hnh
Xem li cc tham s bn la chn v sau bm Next bt u qu trnh
ng k vng.
Xc nhn rng The zone has been successfully signed trn mn hnh, nhp
vo Finish, v sau lm mi giao din trong trnh qun l DNS xc minh
vng c ng k ln na.
Lm mi ch xem cho th mc Trust Points v kim chng rng im mi
tin tng DNSKEY s dng thut ton RSA/SHA 512.
Mt li nhc ngi qun tr Windows PowerShell, g cc lnh sau v nhn
Enter.
H Hng Ngc L14VT 64

h thng tn min (DNS)
(6) Chng minh xc nhn khng thnh cng

Bi v cc anchor tin cy c phn phi n cc DNS1 khng cn hp l,
DNSSEC xc nhn s tht bi khi bn ghi ti nguyn c truy vn trong khu vc
sec.contoso.com.
- chng minh tht bi trong vic xc nhn
Trn DNS1, xem ci t gn y Trust Points cho sec.contoso.com v xc
minh anchor tin cy c s dng thut ton RSA/SHA-1 c trnh by.
lm sch b nh cache DNS server, bm chut phi vo DNS1 v sau
nhp vo Clear Cache.
Bt u mt Network Monitor nu mun. Ngng chp sau khi cp cc lnh sau

y, v sau lu chp bng cch s dng tn: Capture4.
Trn client1, g lnh sau ti du nhc Windows PowerShell v sau
nhn ENTER.
H Hng Ngc L14VT 65

h thng tn min (DNS)
Note:
T ng cp nht ca anchor tin cy vo mt cc my ch DNS (mi RFC 5011)
khng y quyn, ph chun ch xy ra trong qu trnh ti u t quan trng. Nu bn
khng ng k v ti ng k khu vc mt cch th cng vi phm mi, bn cng bt
buc phi pht hnh mt anchor tin tng mi theo cch th cng. Nu mt my ch
DNS validating c mt anchor tin cy khng chnh xc, truy vn DNS yu cu xc
nhn s ch ra mt my ch tht bi. Khi khng c anchor tin cy c trnh by, truy
vn cng tht bi trong vic xc nhn. K t khi khng c anchor tin cy, cc my ch
khng tm cch xc nhn cc phn ng. Trong trng hp ny, mt li gi ko bo
m s c hin th.
- chng minh mt phn ng unsecure
Trn DNS1, ti Administrator Windows PowerShell, g cc lnh sau y v sau
nhn ENTER hai ln:
Bt u chp Network Monitor nu mun. Ngng chp sau khi pht.
hnh cc lnh sau y, v sau lu chp bng cch s dng tn: Capture5.
G lnh sau v nhn ENTER:
Chng minh s tht bi ca my tnh bn t xa.

Bi v DNSSEC xc nhn khng thnh cng, bn khng th kt ni n
dc1.sec.contoso.com bng cch s dng my tnh bn t xa.
- chng minh s tht bi ca my tnh bn t xa
Trn client1, g lnh sau ti du nhc Windows PowerShell v sau
nhn ENTER
H Hng Ngc L14VT 66

h thng tn min (DNS)
Xc minh rng my tnh bn t xa khng th tm thy my tnh

dc1.sec.contoso.com s c hin th.
(7) Chng minh th mc hot ng sao chp ca DNSSEC ng k bn ghi ti
nguyn.
Khi my ch DNS c tch hp Active Directory, anchor tin cy v bn ghi ti
nguyn c k kt c cp nht t ng ngay c khi khu vc ko ng k v ti ng
nhp theo cch th cng.
- chng minh hot ng th mc sao chp DNSSEC k kt bn ghi ti
nguyn.
Trn DC2, trong trnh qun l DNS, xem ni dung ca th mc Trust Points .
Lm mi giao din nu cn thit xem cc anchor tin cy hin nay.
Xc minh rng anchor tin cy DNSKEY cho sec.contoso.com t ng Cp Nht
s dng thut ton RSA/SHA-512.
Trong bng iu khin qun l DNS, nhp vo Global Logs > DNS Events v
xem xt t chc s kin ID 7653 m ch ra rng cc my ch DNS pht hin
ra rng khu k cc tham s cho cc khu vc sec.contoso.com c thay i
v khu vc s c ti k. Trng hp khng c s c hin th sau khi khu
vc k xong.
Nhn vo Forward Lookup Zones > sec.contoso.com trong giao din iu
khin cy m xc minh Secure Entry Point DNSKEY c trnh by s dng
thut ton RSA/SHA-512.
H Hng Ngc L14VT 67

h thng tn min (DNS)
Trn DC1, trong trnh qun l DNS, thm bn ghi lu tr (A) mi cho
dns1.sec.contoso.com vi a ch IP ca 10.0.0.2.
Trn DNS1, xem ci t gn y Trust Points cho sec.contoso.com v xc minh
anchor tin cy c s dng thut ton RSA/SHA-1 c trnh by.
H Hng Ngc L14VT 68

h thng tn min (DNS)
Trn DC2, lm mi giao din trong trnh qun l DNS v xc minh h s k

mi nhn rng n my ch ny.
(8) Chuyn vai tr ch quan trng cho sec.contoso.com sang DC2
Trn DC1 hoc DC2, trong trnh qun l DNS, nhp chut phi vo vng
sec.contoso.com tr ti DNSSEC, v sau nhp vo Properties.
Trn tab Key Master, hy chn Use the following DNS server as the Key
Master.
Nhp vo danh sch th xung v khi bn ang cnh bo tt c cc my ch
DNS u quyn s c np, bm Yes.
Chn dc2.contoso.com t danh sch v sau nhp vo OK.
Khi bn c cnh bo rng ch quan trng s thay i thit t, bm Yes
Xc minh rng ch quan trng cho sec.contoso.com khu vc c cp nht
thnh cng s c hin th.
Kim tra DNS t chc s kin ID 7649 s c hin th trn Key Master v
DNS s kin mi ID 7648 s c hin th trn ch quan trng trc .
3.3. Gii php DNSSEC i vi kch bn tn cng DNS
Mt cuc tn cng khuch i lu lng d liu trong DNS (hay cn gi l tn
cng nh x DNS) l mt loi tn cng t chi dch v (Ddos) bng cch li dng mt
DNS nh c th to ra to ra mt phn hi ln. Khi kt hp vi a ch gi mo, k
tn cng c th nhm vo mt lng ln lu lng mng n h thng mc tiu bng
cch khi to cc truy vn DNS nh.
Cc yu t khuch i trong kiu tn cng ny ph thuc vo loi truy vn DNS
v c my ch DNS hay khng (s dng nh mt tn cng trung gian) h tr vic gi
cc gi tin UDP ln trong cuc tn cng . y l tnh nng nhm ti u ha thng
tin DNS. Nu mt my ch DNS khng h tr dung lng ln (> 512 byte) cc gi tin
UDP trong mt phn hi, n c th quay li TCP. iu ny lm gim hiu qu ca mt
cuc tn cng khuch i bi v TCP t b gi mo a ch.
Mt k tn cng ang c k hoch tn cng DNS m rng c th li dng nhng
iu sau y:
- M quy: Tn min trn Internet kch hot quy v cung cp DNS
quy phn hi cho bt c ai, c gi l "phn gii m". S lng my ch DNS cung
cp quy m trn Internet c c tnh t vi trm ngn n vi triu. Trong mt
cuc tn cng DNS m rng, cc chc nng m ca thit b gii l ngun gc ca s
khuch i, tip nhn mt truy vn DNS nh v tr li mt phn hi DNS hon ton
H Hng Ngc L14VT 69

h thng tn min (DNS)
ln hn nhiu. Cc my ch DNS thng khng b tn hi, thc t li hot ng nh

bnh thng.
- a ch ngun gi mo: a ch ngun gi mo lm thay i a ch tr v mt
gi tin gi nh cc gi tin n t mt ngun no khc ngoi ngi gi. Trong mt
cuc tn cng khuch i DNS, a ch ngun cho cc truy vn gi mo DNS cng
mc tiu tn cng, tng t nh cuc tn cng "Smurf". Khi b phn gii tr v mt
DNS phn hi, phn hi ny l khng chnh xc v c gi t a ch gi mo.
- Botnet: Botnet l nhm my tnh trc tuyn b xm nhp bi mt k tn
cng. Botnet c s dng trong mt cuc tn cng DNS m rng gi truy vn
DNS ti b phn gii m.
- Malware: Malware c th c s dng truy cp vo my tnh botnet v
cung cp phng tin gy ra cuc tn cng DNS m rng.
- EDNS0: M rng c ch cho DNS cho php DNS requestor qung co kch
thc ca gi tin UDP v to thun li cho vic chuyn cc gi tin ln hn 512 byte.
Nu khng c EDNS0, mt truy vn 64 byte c th a kt qu (t nht) ti 512 byte
UDP phn hi tng ng vi h s khuch i 512/64 = 8.
- DNSSEC: DNSSEC thm bo mt cho cc phn hi DNS bng cch cung cp
kh nng cho cc my ch DNS xc nhn cu tr li DNS. DNSSEC ngn chn cc
cuc tn cng m c b nh cache, nhng b sung thm ch k mt m nn thng
ip DNS c dung lng ln hn. Mt khc, DNSSEC cng yu cu EDNS0 h tr;
do my ch h tr DNSSEC ng thi h tr cc gi tin UDP ln trong phn hi
DNS.
Nu mc tiu ca cuc tn cng l my ch DNS, cuc tn cng DNS m rng
s dng cc truy vn cho mt zone DNSSEC k c tim nng tng vic s dng b
vi x l do vic m ha lin quan n vic DNSSEC chng thc ng nhp vo d
liu ti nguyn. Cc my ch DNS ch cn b qua cc gi tin. Lu : My ch DNS
chy Windows gi cc gi d liu v ng nhp trong thc hin v thng k truy cp
theo loi gi tin ca phn hi cha khp.
iu quan trng cn lu l bn thn DNSSEC khng cho php mt cuc tn
cng DNS m rng thnh cng. Nh nu trc , mt yu t khuch i c th
khng c EDNS0 hoc DNSSEC. Cc cuc tn cng DNS m rng thnh cng khng
i hi EDNS0 hoc DNSSEC.
chng minh mt cuc tn cng m rng hot ng nh th no, v lm sao n
b nh hng bi DNSSEC, gi nh rng mt bn ghi TXT rt ln c to ra trn
mt my ch DNS. Lu rng, nu d liu l qu ln, cc my ch s khng s dng
UDP thm ch nu EDNS0 c kch hot. Theo mc nh, mt my ch DNS ang
H Hng Ngc L14VT 70

h thng tn min (DNS)
chy Windows s ri tr li TCP cho nhng h s ln hn 4000 byte. iu ny c th

c chng minh bng mt thit b gim st mng:
Trong v d sau, hai bn ghi TXT c to ra trn mt my ch DNS chy
Windows Server 2012 ti 10.123.182.167. Mi d liu TXT bao gm cc dng vn
bn di 256 byte.
Tn min oktxt.contoso.com cha 15 dng: 15 x 256 = 3840 bytes.
Tn min bigtxt.contoso.com cha 16 dng: 16 x 256 = 4096 bytes.
Cung cp mt truy vn cho cc d liu v xc nh rng cc gi tin UDP ln
c cho php trong cc phn hi, chng ta c th s dng dig (dig @10.123.182.167
oktxt.contoso.com any +edns=0) hoc resolve-dnsname Windows PowerShell cmdlet
c sn trong Windows Server 2012. dnssecok flag cho my ch m gi tin phn hi
UDP ln c h tr:
Cc truy vn trn c a ra t mt my tnh khch hng ti 10.123.183.140.

Thit b gim st mng trn my ch DNS cho thy tn min bigtxt.contoso.com s
dng TCP trong khi oktxt.contoso.com s dng UDP:
H Hng Ngc L14VT 71

h thng tn min (DNS)
C th, cc chi tit frame cho cc truy vn ny cho thy kch thc UDP playload
ln nht l 4000 byte, v trong trng hp ca d liu bigtxt.contoso.com kch thc
l 4.096 byte (vt qu gii hn):
Khi 4000 byte UDP gii hn b vt qu, cc my ch DNS s dng TCP trong
phn hi DNS.
Gii hn 4000 byte cng c th hin th trn my ch DNS s dng Windows
PowerShell:
PS C:\> (Get-DnsServer).ServerSetting.MaximumUdpPacketSize 4000
Cc chi tit trong frame cho tn min oktxt.contoso.com biu din trong bng
di. Ch UDP c s dng cho cc d liu ti nguyn c chiu di 3840 byte v n
di gii hn 4000 byte:
Nhc li rng UDP l quan trng trong cc cuc tn cng DNS m rng v a
ch ngun gi mo l mt phn quan trng ca cuc tn cng. Cch bt tay ba (three-
H Hng Ngc L14VT 72

h thng tn min (DNS)
way handshake) c s dng bi TCP lm vic gi mo kh khn hn khi DNS phn

hi s dng UDP. Do , k tn cng thng mun gii hn kch thc ca phn hi
ch UDP c s dng.
Mt k tn cng s dng cc d liu TXT oktxt.contoso.com v mt l thuyt c
th s dng kch thc n v truyn ti thiu l 64 byte pht hnh mt truy vn m
tr v mt phn hi UDP 3840 byte, cho h s khuch i 3840/64 = 60.
DNS phn hi trong min c k
iu g xy ra nu min c k? Windows Server 2012 h tr vng s dng
Windows PowerShell hoc s dng min DNSSEC c sn trong b qun l DNS. Qu
trnh ny cho thm mt s d liu ti nguyn mi vo khu vc, v nhng d liu ny
c tr v vi kt qu truy vn. iu ny c lm tng h s khuch i trong mt
cuc tn cng DNS m rng khng?
Sau khi min c k, mt truy vn cho tn min oktxt.contoso.com (bn ghi
TXT nh hn) cung cp s kt hp sau:
C mt s kt hp TCP ngoi UDP, tng t nh nhng g xy ra trc y

vi cc d liu TXT ln trong tn min bigtxt.contoso.com.
Kim tra cc chi tit frame cho vic trao i UDP cho thy cc bn ghi TXT cng
c gi qua UDP nh c gi trc khi min c k:
H Hng Ngc L14VT 73

h thng tn min (DNS)
Sau khi min c k, cc gi trao i TCP bao gm cc d liu lin quan

DNSSEC (RRSIG):
Vic ng k min DNS v thm cc d liu DNSSEC ti mt DNS phn hi

tng tng kch thc ca mt phn hi, nhng khng lm tng nguy c b m rng
DNS qua gii hn hin ti c t trn my ch cho kch thc phn hi UDP.
T khi s kt hp ca TCP khng d b gi mo, nhng d liu b sung khng
lm tng mc nghim trng ca cc cuc tn cng DNS m rng.
H Hng Ngc L14VT 74

h thng tn min (DNS)
Tuy nhin, h s khuch i 60 ln l khng h nh, v cc cuc tn cng DNS

m rng tip tc l mt nguy c trn Internet. Mt s iu bn c th lm ngn
chn cc cuc tn cng khuch i DNS bao gm:
- Khng t DNS m trn Internet. Hn ch khch hng truy cp c vo b
gii lm gim ng k kh nng k tn cng s dng n. iu ny c th c thc
hin bng cc quy tc firewall, danh sch truy cp router IP, hoc cc phng php
khc.
- Ngn chn a ch IP gi mo bng cc cu hnh Unicast Reverse Path
Forwarding (URPF) trn cc router mng. Mt router c cu hnh s dng URPF hn
ch kh nng k tn cng gi mo gi tin bng cch so snh a ch ngun ca gi tin
vi bng nh tuyn ni b xc nh a ch l chnh ng. Nu khng, cc gi tin b
loi b.
- Trin khai thit b h thng phng chng xm nhp (IPS) hoc gim st giao
thng DNSSEC. Mt s lng ln cc gi tin gi i vi cng mt a ch, c bit t
nhin tng vt, l ch s tt cho cuc tn cng tch cc. Trin khai cc b lc th,
gii hn, hoc tr hon cc tp nghi ng gim bt tc ng ca cc cuc tn cng
trn mng v tn cng mc tiu a phng. Nh cp trc , Windows DNS
server 2012 gi gi tin phn hi cha khp v ng nhp chng trong gii quyt v
thng k counter. iu quan trng l phi thng xuyn theo di gim st lu lng.
3.4. Kt lun
Chng 3 a ra cc m hnh tn cng mng v cc c im ca chng. Tn
cng m c DNS, tn cng khuch i d liu DNS v gi mo my ch DNS. Cng
vi l kch bn m hnh tn cng v gii php DNSSEC trn my ch Windows
server 2012 ca Microsoft. cng l v d thc tin v hiu qu v an ton khi p
dng gii php bo mt DNSSEC cho h thng tn min DNS.
H Hng Ngc L14VT 75

h thng tn min (DNS)
KT LUN
H thng tn min v h thng my ch tn min chnh l l hng ln ca
Internet. Hacker c th li dng l hng ny thc hin cc mc ch xu nh n cp
thng tin, la o, gi mo. Do cn ch trng vo bo mt h thng tn min DNS
v mt trong nhng phng php c la chn p dng l DNSSEC - ng dng bo
mt tn min.
Sau gn hai thng tm hiu, nghin cu v ng dng bo mt h thng tn min
DNSSEC em c thm nhiu kin thc mi tht b ch trong lnh vc an ton thng
tin mng, l mt phn trong hnh trang qu bu cho em sau ny trn con ng lnh
hi tri thc. Bn cnh kh nng tm ti, hc hi v t duy ca em cng c hon
thin v nng cao. Tuy nhin, do kin thc cn hn ch nn trong ti ny s kh
trnh khi sai st. Rt mong nhn c kin ng gp t qu thy c v mi ngi.
n a ra cc ni dung:
- Nghin cu v h thng tn min DNS, gii thiu v DNSSEC.
- Tnh hnh trin khai v tiu chun ha trn th gii v ti Vit Nam.
- Nghin cu v m hnh trin khai, cc bn tin ti nguyn, v cc giao thc m
rng trong DNSSEC.
- ng dng DNSSEC trong m bo an ton h thng tn min DNS. Vi cc
kch bn tn cng mng v gii php DNSSEC vi cc kch bn tn cng DNS .
H Hng Ngc L14VT 76

n tt nghip i hc Ti liu tham kho
TI LIU THAM KHO

Ting Anh
1. Olaf Kolkman, DNSSEC HOWTO, a tutorial in disguise, July 4, 2009
2. Shumon Huque, DNSSEC Tutorial, 2013
3. [RFC 7129] Authenticated Denial of Existence in the DNS, (2014).
4. [RFC 4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource
Records for DNS Security Extensions", RFC 4034, (03-2005).
5. [RFC 4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol
Modifications for the DNS Security Extensions", RFC 4035, (03-2005).
Ting Vit
1. TS. Hong Trng Minh, An ninh mng thng tin, HVCNBCVT, 2015.
2. ThS. Nguyn Trn Tun, Bo co ti KHCN, Nghin cu xy dng tiu
chun v hm bo mt DNS xc thc nh danh phn b cho DNSSEC, Vin
KHKT B, 2016.
3. Nguyn Vit Dng, Bo co ti KHCN, Nghin cu xy dng tiu chun v
cc yu cu v hng dn bo mt DNS (DNSSEC), Vin KHKT B, 2015.
Website
1. https://www.vnnic.vn/dns/congnghe/cng-ngh-dnssec
2. https://technet.microsoft.com/en-us/library/hh831411(v=ws.11)#demo_1
3. https://technet.microsoft.com/en-us/security/hh972393.aspx
4. http://www.thongtincongnghe.com/article/16547
H Hng Ngc L14VT 77

Đồ án DNSSEC Hà Hồng Ngọc v5 2016

Uploaded by

Copyright:

Available Formats

You might also like

Đồ án DNSSEC Hà Hồng Ngọc v5 2016

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Đồ án DNSSEC Hà Hồng Ngọc v5 2016

Uploaded by

Copyright:

Available Formats

HC VIN CNG NGH BU CHNH VIN THNG

KHOA VIN THNG I

NGHIN CU AN TON M RNG CHO H

Ngi hng dn : ThS. NGUYN TRN TUN

NGHIN CU AN TON M RNG CHO H

Ngi hng dn : ThS. NGUYN TRN TUN

hon thnh n ny em xin gi li cm n chn thnh ti thy THS Nguyn

H Ni, ngy 15 thng 12 nm 2016

H Hng Ngc L14VT i

(ca mt zone) c thm quyn

H Hng Ngc L14VT ii

DANH MC BNG BIU

Bng 1.1 Mt s TCVN v ang trong qu trnh xy dng.................................. 15

H Hng Ngc L14VT ii

Hnh 1.1 V d cu trc DNS...................................................................................... 2

H Hng Ngc L14VT iii

H Ni, ngy 15 thng 12 nm 2016

H Hng Ngc L14VT 1

CHNG 1: GII THIU CHUNG V DNSSEC

Hnh 1.1 V d cu trc DNS

H Hng Ngc L14VT 2

Cu trc ca DNS l c s d liu dng cy th mc, bao gm t Top Level

H Hng Ngc L14VT 3

- INFO.VN: Dnh cho cc t chc, c nhn hot ng trong lnh vc sn xut,

Hnh 1.2 Domain Name System

H Hng Ngc L14VT 4

- u tin PC A gi mt yu cu ti my ch qun l tn min vnn hi thng tin

H Hng Ngc L14VT 5

1.2.2. Gii thiu v DNSSEC

H Hng Ngc L14VT 6

d liu c k xc thc s cha ng mt trong cc bn ghi RRSIG, DNSKEY,

Hnh 1.3 M hnh trin khai DNSSEC

H Hng Ngc L14VT 7

l hng ca h thng ny vi quy m ln v tinh vi vi mc ch lm t lit h thng

Hnh 1.4 C ch hot ng ca DNSSEC

H Hng Ngc L14VT 8

Hnh 1.5 Qu trnh trin khai DNSSEC trn th gii

H Hng Ngc L14VT 9

Hnh 1.6 Bn cc nc trn th gii trin khai v th nghim DNSSEC

Ngoi cc nc vn hnh DNSSEC trong h thng my ch tn min quc

H Hng Ngc L14VT 10

H Hng Ngc L14VT 11

ECIS, IEEE v i din tiu chun quc gia mt s nc nh c, H Lan, Thy S

H Hng Ngc L14VT 12

tin cy trong vic s dng, truy vn tn min .VN trn Internet. y l c s tt yu

H Hng Ngc L14VT 13

H Hng Ngc L14VT 14

1.4.3. Tnh hnh tiu chun ha DNSSEC ti Vit Nam

- TCVN xxx - 2015, Cc yu cu v hng dn bo mt DNSSEC l tiu

H Hng Ngc L14VT 15

H Hng Ngc L14VT 16

CHNG II: NGHIN CU V DNSSEC

Hnh 2.1. M hnh trin khai DNSSEC

H Hng Ngc L14VT 17

- BC 7: Cu hnh Trust Anchors

H Hng Ngc L14VT 18

- Trng Name ca RRSIG Signer ging tn ca zone cha tp bn ghi ny.

H Hng Ngc L14VT 19