Ramaswamy Chandramouli
National Institute of Standards and Technology
USA

Scott Rose
National Institute of Standards and Technology
USA

The Domain Name System (DNS) is the world’s largest distributed computing system that performs the key function of translating user-friendly domain names to IP Addresses through a process called Name Resolution. After looking at the protection measures for securing the DNS transactions, we discover that the trust in the name resolution process ultimately depends upon the integrity of the data repository that Authoritative Name Servers of DNS uses. This data repository is called Zone file. Hence we analyze in detail the data content relationships in zone file that have security impacts and develop a taxonomy and associated population of constraints. We also have developed a platform-independent framework using XML, XML Schema and XSLT for encoding those constraints and verifying them against the XML encoded zone file data to detect integrity violations.

Keywords: Domain Name System, Zone file, DNSSEC, Integrity Constraints, XSLT

Read Paper (in PDF)