ccTLDs在DNSSEC建置發展及推動現況之比較

The Comparison of DNSSEC Development and Implementation for ccTLDs

張宏昌(Hung-Chang Chang)

DNSSEC ； ccTLDs ； 網路釣魚 ； DNS ； DNSSEC ； ccTLDs ； phishing ； DNS

資訊管理學報

24卷2期（2017 / 04 / 01）

185 - 208

繁體中文

在這個資訊網路普及的時代，隨著人們對網際網路的依賴日漸增加，網路的安全性早已是不可忽視的問題。網路攻擊、犯罪手法層出不窮，其中又以「網路釣魚」最為常見，有鑑於此，許多國家紛紛引入具有「資料完整性」、「來源可驗證性」與「可驗證之不存在性」三大特性的DNSSEC 來解決這樣的問題。雖然DNSEEC 相較於傳統的DNS 服務提供了我們更強大的安全性，可是其需要的較高的技術門檻以及缺乏對相關人士的升級部署誘因卻也讓DNSSEC 在推廣上遇到了不少困難。為了瞭解全球各頂級國碼域名在DNSSEC 推動發展狀況，以作為台灣未來在部署、維運DNSSEC 服務上之重要參考，本研究利用問卷和E-Mail 的方式與各國相關人士進行訪談，並且同時以於網路上所蒐集的資料輔以佐證，最後再實際透過第三方的測試軟體對所得資訊進行全球不同區域主要頂級國碼域名在DNSSEC 整體建置推動之驗證、比較與分析研究，希望能夠藉由這些寶貴的經驗與資訊實際瞭解並掌握目前各國在推動DNSSEC 服務上的發展情形，包括組織編制、實作方法、成本預算、進度與時程以及遭遇困難和解決方法等等。本研究發現，各國在實作DNSSEC 方法與推廣、部署過程上都有許多相似的地方，由於現今資訊網路發達，即使是遭受海洋或叢山峻嶺的阻隔，相隔幾千里的國家也能透過E-Mail 等交談工具以及RIR 與ICANN 等組織的協助，輕易學習、分享彼此在部署上的技術與經驗，而造成各國在建設進度上出現落差的原因，除了與可利用的經費有關之外，該國的風土民情也是影響DNSSEC 部署建設的因素之一。

Purpose-DNSSEC is the next generation of Internet infrastructure. For a more stable and secure network environment, countries around the world are actively promoting the deployment. In view of this, this paper propose is to survey status of DNSSEC implementation to help technology and promoting staff to do evaluation, promotion DNSSEC deployment easily in Taiwan. Design/methodology/approach-Detection and Statistics are the most important features of DNSSEC deployment survey. We can use this feature to detect their service to obtain the status of DNSSEC deployment and its environment. We observe the target object, and record their resource record. Then we can analyze these data to estimate the status of deployment of the target objects. Finally, we will refer the results to the relevant personnel. Findings-DNSSEC deployment issue in recent years have been enthusiastically discussed and implemented. DNSSEC is indispensable role next generation. For this reason, we introduced related knowledge in the first place and proposed an Auxiliary Deployment System for DNSSEC to help our government to more easily promote the deployment lastly. Research limitations/implications-DNSSEC does not provide confidentiality of DNS responses or communications between DNS clients and servers. It also does not prevent attacks on DNS servers using other parts of the network stack-for instance, implementation of DNSSEC does not protect against distributed denial of service attacks or IP spoofing. Practical implications-Unlike the majority of Top Level Domains (such as .com and most Asia ccTLDs), .tw does not offer registrations at the second level. The .tw zone is partitioned into 14 second level domains, and the remainder (such as .gov.tw, and mod.tw) are managed within the public sector. In spite of the high level of second level domains, .co.tw is by far the largest of the zones managed by Hinet, accounting for between 92-95% of monthly registrations over the past five years. For a TLD structured into second level domains, like .tw, implementing DNSSEC is more complex than with other TLDs. In reality, this did not introduce DNSSEC to .tw domain name registrants, Only then was it possible for .tw registrars to complete the chain of trust through to individual domains. Originality/value - Deployment System for DNSSEC greatly reduces the complexity of deployment tasks which has many advantages, including Friendly interface, Real-time information, Integration, and Security. In the future, we will actively use the system in DNSSEC deployment.

1. 賽門鐵克（2006），第十一期全球網路安全威脅研究報告－資料遭竊與洩漏日益 普遍，駭客針對特定目標進行攻擊從中獲利，http://www.symantec.com/zh/ tw/about/news/release/article.jsp?prid=20070320_01（存取日期2013/10/6）。
2. SANS (2006). 'SANS Top-20 Internet Security Attack Targets'. available at http://www.sans.org/top20/ (accessed 12 March 2007).
3. Anti-Phishing Work Group (APWG) (2007). 'Phishing Activity Trends—Report for the Month of January', available at http://www.antiphishing.org/reports/apwg_report_ january_2007.pdf (accessed 8 October 2016).
4. Internet Systems Consortium (2003). 'BIND Vulnerabilities'. available at http://www.isc.org/index.pl?/sw/bind/bind-security.php (accessed 22 May 2007).
5. Internet Systems Consortium. (2007).http://www.isc.org (accessed 06 April 2017).
6. Carli, F.(2003).Security Issues with DNS.VA, USA:SANS Institute.
7. Del Sorbo. A.(2003).ITALY,Universit`a degli Studi di Salerno.
8. Holmblad, J.,GIAC, S.(2003).The Evolving Threats to the Availability and Security of the Domain Name Service.VA, USA:SANS Institute.
9. Householder, A.,King, B.(2002).Securing an Internet Name Server.PA, USA:Software Engineering Institute.
10. Liu, C.、蔣大偉編譯(2000)。DNS and BIND。台北:美商歐萊禮股份有限公司台灣分公司。
11. Pfleger, J.(2003).Wien, Austria,University of Disponivel.

1. 陳仕弘(2023)。資訊安全威脅與治理政策之探討。管理資訊計算，12(特刊1)，1-12。