Scott Rose

An autonomic failure-detection algorithm

Designs for distributed systems must consider the possibility that failures will arise and must adopt specific failure detection strategies. We describe and analyze a self-regulating failure-detection algorithm that bounds resource usage and failure-detection latency, while automatically reassigning resources to improve failure-detection latency as system size decreases. We apply the algorithm to (1) Jini leasing, (2) service registration in the Service Location Protocol (SLP), and (3) SLP service polling

Challenges in securing the domain name system

Two main security threats exist for DNS in the context of query/response transactions. Attackers can spoof authoritative name servers responding to DNS queries and alter DNS responses in transit through man-in-the-middle attacks, and alter the DNS responses stored in caching name servers. The IETF has defined the digital signature-based DNSSEC for protecting DNS query/response transactions through a series of requests for comments.

Self-adaptive leasing for jini

Distributed systems require strategies to detect and recover from failures. Many protocols for distributed systems employ a strategy based on leases, which grant a leaseholder access to data or services for a limited time (the lease period). Choosing an appropriate lease period involves tradeoffs among resource utilization, responsiveness, and system size. We investigate these issues for Jini Network Technology. First, we establish quantitative tradeoffs among lease period, bandwidth utilization, responsiveness, and system size. Then, we consider two self-adaptive algorithms that enable a Jini system, given a fixed allocation of resources, to vary lease periods with system size to achieve the best responsiveness. We compare performance of these self-adaptive algorithms against each other, and against fixed lease periods. We find that one of the self-adaptive algorithms proves easy to implement and performs reasonably well. We anticipate that similar procedures could add self-adaptive capability to other distributed systems that rely on leases.

An integrity verification scheme for DNS zone file based on security impact analysis

The domain name system (DNS) is the worlds largest distributed computing system that performs the key function of translating user-friendly domain names to IP addresses through a process called name resolution. After looking at the protection measures for securing the DNS transactions, we discover that the trust in the name resolution process ultimately depends upon the integrity of the data repository that authoritative name servers of DNS use. This data repository is called a zone file. Hence we analyze in detail the data content relationships in a zone file that have security impacts. We then develop a taxonomy and associated population of constraints. We also have developed a platform-independent framework using XML, XML schema and XSLT for encoding those constraints and verifying them against the XML encoded zone file data to detect integrity violations

Information Leakage through the Domain Name System

The Domain Name System (DNS) is the global lookup service for network resources. It is often the first step in an Internet transaction as well as a network attack since it provides the route map for reaching any resource (e.g., hosts) in any organization irrespective of its geographical and network location. An attacker can query an organization’s DNS as reconnaissance before attacking hosts on a particular network. To minimize the chances of these attacks succeeding, the administrator of an organization’s DNS (called the zone administrator), has various counter measures options in the form of content control, configuration, protocols, operational and infrastructure protection methods. In this paper, we analyze these and discuss the ireffectiveness and limitations.

Open Issues in Secure DNS Deployment

The domain name systems growth has been unprecedented, but protocol vulnerabilities threaten its stability and trustworthiness. The Internet Engineering Task Forces DNS security extentions specification aims to protect the system from these attacks.

Open Issues in Secure Domain Name System (DNS) Deployment

The Domain Name System (DNS) is the primary infrastructure component of the Internet as it translates easy-to-remember Internet destination (web pages, mail servers) addresses (called URLs) into actual network addresses (IP addresses). Being the foundational technology for the Global economy, the DNS needs protection using state of practice security measures. A set of security specifications called DNS Security Extensions (DNSSEC) specification has been proposed by IETF and has been demonstrated to provide the needed protection. However ubiquitous DNSSEC deployment throughout the DNS infrastructure calls for certain critical security operations. There are some unresolved issues with respect to the rollout of these operations in terms of specification gaps, consensus security procedures and operational challenges. This article discusses those issues and provides some directions for resolving them.