ICACT20220132 Question.1
Questioner: spcho@hanmail.net 2022-02-13 ¿ÀÈÄ 2:27:01 |
ICACT20220132 Answer.1
Answer by Auhor yongj@gsic.titech.ac.jp 2022-02-13 ¿ÀÈÄ 2:27:01
Chrome  Click!! |
| How to check if DNSSEC validation failed? Could you please explain the verification method and procedure. |
Thank you very much for your question.
If the DNSSEC validation is failed on the external full-service resolver, it replies a DNS response with "SERVFAIL" flag. Thus, the DNS proxy installed on the end client will notice the DNSSEC validation failure and performs the DNSSEC validation by itself.
If the DNSSEC validation is failed on the end client, the end client can get error from the DNS proxy so that the end client can notice the DNSSEC validation failure. |
ICACT20220132 Question.2
Questioner: spcho@hanmail.net 2022-02-13 ¿ÀÈÄ 2:29:21 |
ICACT20220132 Answer.2
Answer by Auhor yongj@gsic.titech.ac.jp 2022-02-13 ¿ÀÈÄ 2:29:21
Chrome Click!! |
| It is desirable to present the reliability of a client-based DNSSEC verification system. What kind of algorithm is applied to the Security Algorithm applied to the DNSSEC verification system? |
Thank you very much for your question.
In general, public key cryptography will be used in DNSSEC verification system. In the prototype system of the proposed method, we used RSA for generating the key pair to sign the DNS data and
verify the signature. |
ICACT20220132 Question.3
Questioner: tomayoon@ieee.org 2022-02-14 ¿ÀÀü 11:37:43 |
ICACT20220132 Answer.3
Answer by Auhor yongj@gsic.titech.ac.jp 2022-02-14 ¿ÀÀü 11:37:43
Chrome Click!! |
| First of all, thank you for the good research paper and presentation contents. I would like to know more about the research environment used in this study, and also in detail about the equipment & operating systems, development languages and software libraries you used. |
Thank you very much for you question.
We used Windows7 for the end client and BIND9 for the DNS full-service resolver.
We used Net::DNSServer::Proxy perl module for the DNS proxy and Net::DNS::SEC::Validator for DNSSEC validation.
We used Perl scripting language for customizing the Perl modules. |
ICACT20220132 Question.4
Questioner: vasaka.vis@mahidol.edu 2022-02-15 ¿ÀÈÄ 5:32:43 |
ICACT20220132 Answer.4
Answer by Auhor yongj@gsic.titech.ac.jp 2022-02-15 ¿ÀÈÄ 5:32:43
Chrome Click!! |
| The research topic is interesting, but it is a bit upset to see your Youtube video that was generated by the text-to-speech engine. You should present by yourself :(
For your proposed approach, it seems like that you double the Internet traffic and increase the workload on the DNSSEC enabled cache DNS server. Is there any other trade-off by using your proposed system?
In Slide No.18, why there was no results of "Parallel query using "fork"" for Client 1?
Moreover, what is the difference between Client 1 and Client 2? Different physical machine specs? Different software? Please kindly explain. Thank you.
|
Thank you very much for your question.
Regarding the network traffic, we consider that DNS traffic cause a small volume comparing to other
types network traffic thus it is acceptable. In addition, we consider that the proposed system should
be deployed on each end client which can be another overhead.
The results of "Parallel query using "fork"" is shown in Slide No.17.
The Client 1 and 2 are the same machine. We differs them to Client 1 and 2 in order to show the sequence which one queried the full-service resolver first. When the Client 1 queries the full-service resolver for a non-cached domain name it will cause long latency. However, when the Client 2 queries the full-service resolver it will be faster because the cached results can be used. |
ICACT20220132 Question.5
Questioner: namacabale@gmail.com 2022-02-15 ¿ÀÈÄ 6:04:32 |
ICACT20220132 Answer.5
Answer by Auhor yongj@gsic.titech.ac.jp 2022-02-15 ¿ÀÈÄ 6:04:32
Chrome Click!! |
| Dear Author, you have a good research. In many engineering work it's hard to address issues all at the same time. Somehow to address some issues you need to trade or give up some advantages. In your work, what specific aspect(s) was/were sacrificed or ignored to achieve your goal.
Like for example, the more complex encryption becomes the more hardware becomes more expensive and complex too. |
Thank you very much for your question.
As you mentioned, in order to achieve the advantages sometimes we have to sacrifice something.
In the proposed method, we need to deploy and install extra applications including DNS proxy and
DNS full-service resolver on an end client which may increase the workload of the end client. Moreover,
the proposed method also generates some extra network traffic for the same DNS name resolution.
However, by using the proposed method, the end client can conduct secure DNS name resolution on
end client which cannot covered by DNSSEC. |
ICACT20220132 Question.6
Questioner: yiweimaa@gmail.com 2022-02-16 ¿ÀÈÄ 4:03:39 |
ICACT20220132 Answer.6
Answer by Auhor yongj@gsic.titech.ac.jp 2022-02-16 ¿ÀÈÄ 4:03:39
Chrome Click!! |
| Dear Author, you have a good research. I would like to know if the performance is relative to the language you used? |
Thank you very much for you question.
I think the performance of the prototype system is not much relative to the language.
We used Perl scripting language I think it will still work and get similar performance with Python. |
ICACT20220132 Question.7
Questioner: jianms@nfu.edu.tw 2022-02-17 ¿ÀÀü 8:06:11 |
ICACT20220132 Answer.7
Answer by Auhor yongj@gsic.titech.ac.jp 2022-02-17 ¿ÀÀü 8:06:11
Chrome Click!! |
| According to the presentation, I would like to know what if the IP address change? |
Thank you very much for your question.
Which IP address do you mean?
DNSSEC works well even the IP address changes. |
