An advanced client based DNSSEC validation and preliminary evaluations toward realization

DNSSEC (Domain Name System Security Extensions) is designed to provide security functions for the current DNS protocol. However, DNSSEC yet has low deployment rate in the Internet due to its heavy workload on DNS full resolvers and high administrative cost. Furthermore, DNSSEC does not cover the last one mile in name resolution: between the DNS full resolver and client. In order to provide complete DNSSEC service between authoritative zone servers and clients, a new DNSSEC validation mechanism with acceptable workload on DNS full resolver and client is required. In this paper, we propose an advanced client based DNSSEC validation mechanism and compare the DNSSEC performance between DNS full resolver and client based on evaluations in a local experimental network. By validating DNSSEC on each client, the proposed mechanism can reduce the workload of DNS full resolvers and also can provide secure name resolution for each client. According to the results of preliminary evaluations we confirmed that it is possible to reduce the workload of DNS full resolver by transferring the DNSSEC validation process to clients with acceptable extra workload. More importantly, the benefit of DNSSEC can be extended to clients with secure name resolution service.