The goals of this project is to build DNSSEC simulator software and provide the software freely as open source software. DNSSEC is important technology for DNS and the Internet, however, the costs of introducing and operating DNSSEC are not low. Using this software, you can simulate your DNS environments easily and evaluate the effects of enabling DNSSEC.
Motivation and Goals
In order to protect DNS answers from spoofing and attacking DNSSEC is useful and important. However, DNSSEC is not easy to introduce into existing DNS environments. Operators should pay more costs for signing zones and managing keys. Moreover, the amount of traffic will grow when DNSSEC is introduced because the size of DNSSEC messages are bigger than non-DNSSEC messages.
Before introducing and deploying DNSSEC into existing DNS servers, operators and administrators may want to evaluate the operational costs and estimate the growth of DNS traffic. On the other hand, there is no good tool and simulator to evaluate the effects of introducing DNSSEC into existing environments, so we would like to provide a DNSSEC simulation software for DNS operators and administrators. This is the motivation of starting this project.
The goals of this project are
- Providing simulation tools for DNS administrators and operators to evaluate DNSSEC introduction,
- Simulating the whole DNS environment with any DNS server implementations, and
- Evaluating the effects of DNSSEC transitions on authoritative servers and cache servers.
We will release our software as one package for users to perform DNS simulation easily. Users only have to configure the number of clients, authoritative servers, resolver servers, and information of server locations, user can simulate your DNS environments with DNSSEC enabled.
Our simulator is built on ns-3 simulator with Direct Code Execution (DCE) enhancements, so user can simulate any DNS server implementations and environments.
DCE allows us to utilize existing protocol implementations on top of network simulators (ns-3) without any modifications to original implementations. We thus reuse bind9 and unbound as DNS/DNSSEC implementations for simulations.
Also we will provide the tools for configuration of the parameters and visualization of the results.