EP3900305A1 - Method for acquiring a delegation chain relating to resolving a domain name identifier in a communication network - Google Patents
Method for acquiring a delegation chain relating to resolving a domain name identifier in a communication networkInfo
- Publication number
- EP3900305A1 EP3900305A1 EP19839392.8A EP19839392A EP3900305A1 EP 3900305 A1 EP3900305 A1 EP 3900305A1 EP 19839392 A EP19839392 A EP 19839392A EP 3900305 A1 EP3900305 A1 EP 3900305A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- domain
- server
- identifier
- chain
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
Definitions
- Title of the invention Method for acquiring a delegation chain relating to the resolution of a domain name identifier in a communication network
- the invention is located in communications networks and aims to implement a method for implementing a secure delegation of a second domain of a DNS (Domain Name Server) architecture to a first domain with the aim that a terminal obtains an identifier from a data server in the first domain capable of delivering content, the identifier being initially required from the second domain.
- DNS Domain Name Server
- content is most often distributed to terminals from data servers which are not necessarily the so-called original servers which initially have the requested content. For example, if a terminal wants to access the data on the page http://www.example.com, then this data will probably be transmitted by a CDN server or in other words from a cache server having obtained the data from the original server , hosting the data on the page cited above. It is then necessary to transmit the identifier of this CDN server to the client, the latter establishing a session with this CDN server to effectively obtain the data, for example by establishing an HTTPS (HyperText Transfer Protocol Secure) session, for example of the HTTP over type.
- HTTPS HyperText Transfer Protocol Secure
- Transport Layer Security Transport Layer Security
- DNS server Domain Name Server
- CDN server operator for example, in charge of managing CDN servers capable of delivering the content required by the terminal.
- 5G fifth generation
- the delivery of content by servers close to the terminals makes it possible to reduce the latency relating to distribution. content and therefore improve the quality of customer experience and make the data access service more reliable by distributing the servers in different areas, one area representing a set of resources in a communications network administered by the same entity .
- a CDN server In the case of CDN architectures, a CDN server must deliver the content using the original domain name so that the terminal can verify and ensure that the content received, which does not come from a server in the original domain , comes from a server of a domain having an agreement with the origin server.
- the terminal in fact compares the concordance between the domain requested in the DNS query initially sent and the information on the domain name present in a certificate sent by the data server of the CDN domain. However, for this comparison to be made, the originating domain must transmit the certificate to the CDN domain server as well as a private key associated with the domain. of origin. The transmission of the private key poses confidentiality and security problems that must be resolved.
- the terminal thus obtains content from a server of a domain of which it does not know the link with the original domain that the terminal has requested to obtain the content.
- the document draft- sheffer-acme-star-delegation-01 describes a solution allowing a single delegation by an origin server to a third server whereas the architectures of communication networks interconnect most often a larger number of domains, these domains not necessarily having all agreements with the origin server.
- a domain X involved for example in the delivery of content may also have agreements with different domains, corresponding to distinct service providers, and may itself request another domain Y more suitable for providing a server identifier for data.
- the supply of an identifier of a data server to a terminal can involve a large number of successive domains without a priori control of the original domain initially requested by the terminal.
- the sharing of private keys between the different domains is however not desirable for security reasons and different domains can intervene in the supply of the identifier of the data server to the terminal depending on the type of data and / or the slot. schedule or even according to the agreements between the different areas for certain services.
- the invention improves the situation using a method of acquiring an identifier of a data server capable of delivering content to a terminal, the method being executed by the terminal and comprising a reception step. , from a communication architecture resolution server, an information message comprising the identifier of the data server in a first domain, and further comprising a delegation chain, including at least one redirection from a second domain to the first domain, the reception of the information message being triggered by a step of transmission to the resolution server of a request message for obtaining an identifier of the data server in the second area.
- the supply of content to a terminal most often requires the contribution of name servers (DNS Servers) from different domains which will successively redirect a DNS request to a name server in a domain capable of transmitting an identifier of a data server to which the terminal must connect to obtain the content.
- DNS Servers name servers
- the terminal can ensure that the content that will be delivered actually comes initially from a server of a domain approved step by step in the chain.
- the terminal can also ensure that the data server is authorized to provide the content
- the delegation chain corresponds to a series of redirects from the original domain server, or second domain, to the domain in which is located
- a domain corresponds to a set of devices sharing directory information. It can be a geographic domain or a logical domain and each domain can itself include sub-domains, thus creating a hierarchical organization of domain names, such as that used for the DNS service.
- a redirection between domains consists of transmitting a request for obtaining a server identifier to another domain, these exchanges being carried out between name servers.
- the acquisition process also has the advantage of being able to inform the terminal about the different fields and therefore of the actors involved in the supply of the content before even requesting the content.
- the method thus makes it possible to be able to inform the terminal before a request for obtaining the content is actually issued.
- the terminal holds all the information on the delegations between domains before actually transmitting a request to obtain the content and it can, if necessary, not request the content if one of the delegations of the chain does not suit it.
- the acquisition process can thus be used for different protocols then exploiting the delegation chain received by the terminal.
- HTTP over TLS protocols or services relating to Edge Caching making it possible to deliver content as close as possible to terminals, can use the process.
- the acquisition method also dispenses with the sending of a private key relating to a second domain to a first domain, since the delegation chain indicates that the second domain implicitly authorizes the delivery server of the first domain to deliver the content. and therefore represents an alternative to private key sharing which poses security problems.
- Obtaining information on the successive delegations between domains, described in the delegation chain, when obtaining the identifier of the data server delivering the required content also makes it possible to be able to use the information on the chain for successive requests for content, possibly from separate communication protocols.
- the method can possibly be implemented from exchanges relating to the DNS protocol widely used in communications networks.
- the request message of the acquisition process comprises a delegation parameter.
- the sending of a delegation parameter by the terminal in the obtaining request message makes it possible to transmit or not the delegation chain to the terminal, or else to differentiate the obtaining requests, limiting the exchanges necessary for the generation of the chain and / or obtaining it or even allowing the implementation of a resolution architecture adapted to the supply of a delegation chain.
- the delegation chain comprises a period of validity of the chain.
- the method has the advantage of being able to implement the delegation chain for a limited period. This improves the security of the delegation by preventing a corrupted domain from, for example, being able to subsist continuously in a chain obtained by a terminal.
- the period of validity also makes it possible to oblige the terminal to regularly implement, that is to say when the period of validity has expired, the method for obtaining updates from the delegation chain.
- the delegation chain includes authentication data for the chain.
- the delegation chain advantageously includes a signature data of the chain, for example to authenticate the domain redirecting to another domain, as well as possibly the algorithm used to verify the delegation chain, or any other authentication information, added by a server in the chain and allowing the terminal to authenticate a server added to the delegation chain.
- each domain present in the chain attaches a certificate to the delegation chain generated, the certificate possibly being valid for a determined period.
- the delegation chain comprises at least one redirection to at least one third intermediate domain.
- the acquisition process is advantageously implemented when the communication architecture in which it is implemented comprises at least 3 domains and when at least two redirects between distinct domains are included in the delegation chain transmitted to the terminal. Each domain can thus use the information in the chain to redirect a request for an identifier to another domain.
- the acquisition method further comprises a step of transmitting a message establishing a connection to the identifier of the data server in the first domain, the message
- the terminal can advantageously use the information relating to the delegation chain to establish a connection with the delivery server in order to obtain the required content. Indeed, once it has obtained the identifier of the delivery server in charge of providing the content, it can directly establish a connection with this server to obtain the content.
- the addition of the delegation string in the connection establishment message informs the delivery server that it has obtained this chain and that it possibly validates the delegation chain received in the information message.
- the acquisition method further comprises a step of receiving a message accepting the connection from the data server.
- a step of receiving a connection acceptance message from the data server enables the latter to validate (or to invalidate) the establishment of the connection as well as the delegation chain which has been transmitted in the connection establishment message.
- the connection establishment message further comprises data identifying the second domain.
- the terminal having initially requested an identifier from a server in the second domain, it can advantageously add in the connection establishment message an identification data item from the second domain. This information allows the delivery server of the first domain to make the link between
- the acquisition method further comprises a step of receiving from the data server a communication message of at least one certificate associated with the delegation chain.
- the invention also relates to a method of associating a delegation chain with an information message comprising an identifier of a data server, capable of delivering content to a terminal, the method being executed by a resolution server.
- a communication architecture and comprising the following stages:
- the invention also relates to a device for acquiring an identifier of a data server capable of delivering content to a terminal, comprising:
- a receiver capable of receiving, from a resolution server of a communication architecture, an information message comprising the identifier of the data server in a first domain, and further comprising a delegation chain, including at least one redirection from a second domain to the first domain,
- a sender able to send to the resolution server a request message for obtaining an identifier of the data server in the second domain and to trigger the reception of the information message.
- This device capable of implementing in all of its embodiments the acquisition method which has just been described, is intended to be implemented in a terminal, such as a mobile terminal (smartphone, tablet, etc.). ) or a fixed terminal, such as a computer or even access equipment from a home or professional network (box).
- a terminal such as a mobile terminal (smartphone, tablet, etc.).
- a fixed terminal such as a computer or even access equipment from a home or professional network (box).
- the invention also relates to a device for associating a delegation chain with an information message comprising an identifier of a data server capable of delivering content to a terminal, implemented in a communication architecture and including:
- a receiver capable of receiving from the terminal a request message for obtaining an identifier of the data server in a second domain
- a determination module capable of determining a delegation chain, comprising at least one redirection from the second domain to a first area
- a transmitter capable of transmitting an information message to the terminal, said message comprising the identifier of the data server in the first domain, and further comprising the determined delegation chain.
- This device capable of being implemented in the association method which has just been described, is intended to be implemented in a name resolver, for example a DNS resolver, and can be instantiated in a terminal, fixed or mobile either in access equipment of a home or professional network (box) or in specific equipment of an operator network.
- a name resolver for example a DNS resolver
- the invention also relates to a system for acquiring an identifier of a data server comprising:
- the invention also relates to computer programs comprising instructions for implementing the steps of the respective acquisition methods and
- These programs can use any programming language, and be in the form of source code, object code, or intermediate code between source code and object code, such as in a partially compiled form, or in any other desirable form.
- the invention also relates to an information medium readable by a computer, and comprising instructions of the computer programs as mentioned above.
- the information medium can be any entity or device capable of storing the programs.
- the support may include a storage means, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, or else a magnetic recording means, for example a floppy disk or a disc. hard.
- the information medium can be a transmissible medium such as an electrical or optical signal, which can be routed via an electrical or optical cable, by radio or by other means.
- the programs according to the invention can in particular be downloaded from a network of the Internet type.
- the information medium can be an integrated circuit in which the programs are incorporated, the circuit being adapted to execute or to be used in the execution of the processes in question.
- FIG 1 presents a simplified view of a communication architecture in which the invention is implemented according to one aspect of the invention
- FIG 2 shows the development of a delegation chain, including a set of redirects, according to one aspect of the invention
- FIG. 3 presents an overview of the method of acquiring an identifier of a data server according to an embodiment of the invention
- FIG. 4 shows an example of the structure of an acquisition device according to one aspect of the invention
- Figure 5 shows an example of the structure of an association device according to one aspect of the invention.
- This infrastructure may be fixed or mobile and the invention may be intended for the acquisition of an identifier of a data server for corporate customers or so-called residential or general public customers.
- FIG. 1 presents a simplified view of a communication architecture in which the invention is implemented according to one aspect of the invention.
- a terminal 100 which can be a fixed terminal or a mobile terminal, wishes to obtain content from a remote server using the HTTPS protocol.
- the content of the remote server is as follows: https://www.abc.com.
- the terminal 100 therefore transmits a request for resolution of the name https://www.abc.com to obtain a network identifier, for example an IP (Internet Protocol) address of IPv4 or IPv6 type, corresponding to this name.
- the terminal 100 therefore requests a resolution server 50 to obtain the network identifier of the server storing the content.
- the request for obtaining the identifier of the origin server sent by the terminal 100 may include a delegation parameter indicating in particular that the terminal 100 supports the "delegation" function and ordering the server 50 to resolve request information relating to the delegation.
- the resolution server 50 is for example a device of the “DNS (Domain Name System) resolver” type. This DNS resolver can be integrated into the terminal 100, or implemented in a local network to which the terminal 100 is attached, or else operated by an operator managing the access network to which the terminal 100 is attached.
- DNS Domain Name System
- the server 50 of resolution not having a record associating a network identifier with the name, corresponding in this case to an address, initiates a redirection process with a view to establishing a delegation chain to obtain the identifier of a hosting data server the contents. It requests a name server 41, for example a DNS server, from the domain 40 of origin abc.com to obtain the network identifier by transmitting a request message comprising the delegation parameter received from the terminal 100.
- a name server 41 for example a DNS server
- the resolution server 50 may have been redirected to the name server 41 of the original domain after having transmitted a request allowing it to obtain an identifier of the name server 41 to other servers, such as so-called root servers and / or servers in the .corn domain before they can actually join the name server 41.
- the server 41 determines another domain 30 to which to redirect the resolution server 50.
- the name server 41 responds to the resolution server 50 by transmitting an instruction message indicating that the IP address of a server storing the content can be obtained by transmitting a request to a name server 31 of the domain 30.
- the message redirection thus includes a delegation chain indicating redirection by domain 40 to domain 30.
- the resolution server 50 On receipt of this redirection message, the resolution server 50 sends a request message for obtaining the identifier of a server storing the content https://www.abc.com intended for the name server 31 of the domain 30.
- This request also includes the delegation chain received from the server 41.
- the server 31 responds to the resolution server 50 by redirecting it to the domain name server 21 after having modified the delegation chain with the new redirection added from domain 30 to domain 20. This modified chain is also transmitted to domain 20.
- the resolution server 50 then requests the name server 21, in accordance with the redirection obtained previously, spanning the modified chain, to obtain the content https://www.abc.com.
- the server 21 knowing the IP address of a server 22 in the domain 20, hosting the content requested by the terminal 100, it communicates it to the resolution server 50 in an instruction message further comprising the complete delegation chain from the original domain 40 to domain 20, that is to say from domain 40 to domain 30 then from domain 30 to domain 20, in which the data server 22 is able to deliver the content at terminal 100.
- the resolution server 50 transmits this information message to the terminal 100 which then obtains the IP address of the data server 22 to which to transmit a request for obtaining the content and the complete delegation chain received from the resolution server 50.
- the terminal 100 sends a connection establishment message, such as a message of HTTP / TLS (Transport Layer Security) type to the server 22, this message comprising the delegation chain received.
- the three domains 20, 30, 40 shown in Figure 1 are also shown. It is considered in this embodiment, that the three domains 20, 30, 40 correspond to CDN networks (Content Delivery Networks) but it could also be networks of operators or even
- Domain 40 includes a data server, a terminal of which, not shown in this figure, wishes to obtain the identifier and then request data from this server.
- the identifier of the domain 40 data server is not transmitted to the terminal but a series of redirects will take place between the different domains 40, 30, 20 so that a data server, closer to the terminal and / or more efficient to meet the demand of the terminal and / or having more resources to transmit the data to the terminal is identified and transmitted to the terminal.
- an identifier of a data server of the CDN 20 domain will be transmitted to the terminal.
- a series of redirects from domain 40 to domain 20 must be set up in a transparent manner for the terminal, which must be able to verify and adapt its behavior according to the redirects.
- the domain 40 known as the origin domain can also validate or not the different redirects, for example as a function of the agreements with the different domains present in the chain which includes successive redirects.
- This figure 2 presents the redirects of a delegation chain as well as the various information potentially present in the chain but does not present the exchanges with a resolution server.
- Figure 2 shows a synthetic view of a redirection process between domains, the elements D1, D2, D3, D4 not representing exchanges between the domains 40, 30, 20 but the principle of developing a chain of delegation from the information of successive redirects.
- a domain name server 40 When a domain name server 40 receives a request to obtain the identifier (name, IP address, etc.) of a data server hosting content desired by a terminal, the name server (DNS ) can indicate the identifier of a data server (HTTP server, FTP server (File Transfer Protocol) ...) of domain 40 or redirect the resolution server, proxy of the terminal to obtain the identifier, to a name server in another domain.
- This second option is used by the DNS server of domain 40 which delegates to a DNS server of domain 30 the supply of an identifier of the data server. Domain 40 delegates domain 30 the response to the request for the identifier sent by the resolution server.
- D1 comprises information for delegation from the domain 40 to the domain 30, this information being transmitted to the resolution server
- D2 comprises information for delegation from the domain 30 to the domain 20, also transmitted to the resolution server.
- the chain includes the information D4 for complete delegation from the domain 40 to the domain 20 including the information D1 and D2 as well as possibly the information D3 for redirecting the domain 20 to itself.
- the delegation chain can thus include a large number of information from successive delegations.
- the complete chain when it includes the D3 information for delegating the domain 20 to itself, allows the resolution server to identify the end of the delegation chain in order to facilitate future processing and thus to indicate that the chain is complete.
- a domain name server thus indicates another domain that the resolution server should request, after having modified the delegation chain with the addition of a redirect to the domain that the resolution server must request.
- the delegation chain Dl comprises, according to an example, a set of elements corresponding to a block, such as:
- Vabdity Time in seconds since Start time
- signature algorithm hash signature + algorithm - name of the algorithm used to check the delegation string.
- the possible values are defined in the document IETF RFC 8446 section 4.2.3
- Signature contains the signature with a certificate used to authenticate the domain name present in the "From" field of
- the signature field makes it possible to prove the authenticity of each redirection of a delegation chain, implicitly by verifying the content and the identity of the signatory. It is applied iteratively when a new redirect is added to an existing chain.
- Each new block corresponding to a delegation from one area to another, acknowledges the previous delegation and proves the authenticity of the new one.
- the private key used to sign each block is that the certificate of the domain that is being delegated (From field). It should be noted that the redirection information is made up of information from the “from” and “to” fields of a block.
- the information of the chain D4 therefore includes the 2 data blocks DI and D2 corresponding to the successive delegations of the domain CDN 1 40 to the domain CDN2 30 then from the domain CDN2 30 to the domain CDN3 20 and possibly a third data block D3 corresponding to delegation of the CDN3 20 domain to itself.
- Block redirection information therefore the "From” and “To” fields must be present while the other block information, relating to the duration of delegation and security, is optional.
- the strings, made up of blocks, are received by the domain name servers, coming from a resolution server, then modified by adding a block comprising a redirection and possibly a lifetime of the chain as well as a signature, then returned to the resolution server.
- the resolution server requests a domain name server 40, receives in return a redirection message comprising a delegation chain comprising the DI redirection information to the domain 30.
- the resolution server sends a message for obtaining the identifier of the data server, comprising the received string, to a name server of domain 30.
- This name server not being in a domain comprising an identifier of the data server, identifies a domain to which to redirect the server of resolution, and modifies the string by adding the D2 data block. It sends the string (DI + D2) in an instruction message to the resolution server.
- the resolution server requests a name server from the domain 20.
- the domain 20 comprising a data server
- the name server modifies the received chain by adding the block D3 and transmits the modified chain, comprising the data blocks D1, D2, D3 to the resolution server.
- step E1 the terminal 100 transmits a request message for obtaining an identifier of a data server, represented here by a DNS request, to the device 50 which is of the DNS resolver type.
- This DNS request is sent by the terminal 100 to find out the identity of a data server in a given domain capable of delivering content required by the terminal 100.
- the DNS request is for example of the "DNS Query A cdn" type. co.com ”and the terminal wishes to obtain an IP address corresponding to the type A registration (address) of the domain name
- this request includes a delegation parameter, for example an empty delegation string Delegation (), because no delegation has taken place yet.
- the DNS resolver 50 can be in the terminal 100, in a local network to which the terminal 100 is attached or even in a network managed by an operator.
- the DNS resolver 50 sets up during step E11 a process for determining a delegation chain associated with the acquisition of the identifier of the data server required by the terminal 100. This determination is an iterative process between the resolver DNS 50 and the various domain name servers involved in the redirects included in the delegation chain.
- the DNS resolver following the request sent by the terminal 100 during step E1, sends a request message for an identifier of a data server corresponding to cdn.co.com during step E2.
- This message is actually sent to a DNS server says authority for the cdn.co.com domain.
- the DNS resolver 50 can request a DNS server for the domain authority. com then an authority DNS server from the domain co.com before requesting a DNS server from the domain cdn.co.com.
- step E2 the DNS server 41, identified as the origin server because it is the first DNS server requested by the DNS resolver 50 to obtain the identifier of a data server.
- the DNS resolver 50 includes an empty delegation chain, possibly received from the terminal 100, in the request message transmitted to the DNS server 4L
- the DNS resolver 50 transmits the following message:
- the DNS server 41 modifies the delegation chain by adding a redirection from the cdn.co.com domain to the co.cdnl.com domain.
- the DNS server 41 having determined a domain to which the DNS resolver 50 must be redirected and after having modified the chain accordingly in step E21, sends a redirect message to the DNS resolver 50 for tell him that the content can be obtained from the domain co.cdnl.com. It thus creates the first level of delegation to co.cdnl.com and therefore modified the delegation chain by adding a data block to the delegation chain received during step E2.
- This chain can, according to an example, include a period of validity of the chain.
- the chain can also include data for authenticating the chain, such as a certificate from the 4L server.
- the redirection message is a DNS CNAME (Canonical Name) message telling the resolver 51 to request a domain authority DNS server cdnl.co.com.
- the content of the redirection message transmitted by the server 41 to the DNS resolver 50 is as follows:
- the name server 41 thus implemented a method of modifying the delegation chain with a redirection from the domain cdn.co.com to the domain co.cdnl.com.
- the DNS resolver 50 Upon receipt of the redirection message, the DNS resolver 50 sends, during step E4, to a DNS server of authority 31 of the domain cdnl.co.com a request message for the identifier of the domain indicated by the DNS server 41 in its redirect message.
- This request message includes the delegation chain updated by the server 41 during step E21.
- the content of the message transmitted by the resolution server 50 is as follows:
- step E41 Determining that the DNS server 31 has a co.cdn2.com record to which the DNS resolver 50 must be redirected to obtain an identifier of a data server, the DNS server 31 modifies during the step E41 the chain of delegation received in step E4 with a redirection from co.cdnl.com to co.cdn2.com.
- the DNS server 31 of the co.cdnl.com domain sends an instruction message, corresponding to a redirection, to the DNS resolver 50, this message comprising the delegation chain modified with the addition of the redirection of the co.cdnl domain. com to the domain co.cdn2.com.
- the modification of the chain during step E41 also includes a step of validating the received chain "from:
- cdn.co.com to: co.cdnl.com ”for example by verifying the authenticity of a certificate added by the server 41 of the cdn.co.com domain and a step of signing the modified chain by signing the block of data added to the delegation chain with a private key specific to the server 31.
- the content of the message transmitted by the server 31 during step E5 is as follows:
- the DNS resolver 50 sends, during step E6, a request message for an identifier of a data server in the domain cdn2.co.com to a DNS server 21 of the domain co.cdn2.com.
- the request message includes the delegation string modified by the server 31 and the content of the message is as follows:
- the DNS server 21 is able to indicate an identifier of a data server in the domain co.cdn2.com to the DNS resolver 50. During step E7, it therefore decides to send an instruction message, in this case a DNS response message comprising the IP address of the data server 22 as well as the delegation chain modified during step E61 with the addition of a delegation from the domain co.cdn2.com to it- even.
- the DNS server 21 indeed adds to the chain received from the DNS resolver 50 a redirection of the domain co.cdn2.com towards itself, thus indicating the end of the delegation chain to the devices using this chain.
- the message transmitted during step E7 by the DNS server 21 to the DNS resolver 50 is the following:
- the DNS resolver 50 knows upon reception of the instruction message the domain co.cdn2.com in charge of the delivery of the content and the identifier, in this case the IP address, of the server 22 of the domain co.cdn2. com in charge of delivering the content.
- the DNS resolver 50 sends, during step E8, to the DNS server 41 of the domain cdn.co.com a control message comprising the delegation chain modified by the server 21.
- the message sent by the DNS resolver 50 is:
- the server 41 can validate or invalidate the delegation chain developed. Thus, if a domain in the chain does not have an agreement with the domain cdn.co.com and / or if a domain is not secure, then the DNS server 41 can invalidate the chain and send during the step E9 a chain invalidation message, comprising for example a parameter indicating that the delegation chain is not valid.
- the DNS resolver 50 may send a new request to the DNS server 41 for names to obtain the identifier of a data server in the cdn.co.com domain with the invalidity parameter of the chain thus indicating to the name server 41 either to transmit a new redirect or to transmit to the name resolver 50 an identifier of a name server of the domain cdn.co. com without redirection.
- the DNS server 41 validates the chain, it transmits a validation message to the DNS resolver 50.
- This validation message to indicate the validation of the chain, comprises, according to an alternative, a redirection of the domain cdn. co.com to the cdn2.co.com domain.
- the validation message then takes the following form:
- the resolver 50 then transmits to the terminal 100 an information message comprising the identifier of the data server 22. It is, according to this example, a DNS message comprising the IP address of the data server 22 and further comprising the delegation chain developed and possibly approved by the server 4L
- the message received by the terminal 100 during the step E9 is as follows:
- the DNS resolver has thus implemented a redirection process making it possible to establish the delegation chain which has made it possible to determine and transmit to the terminal 100 the identifier of the data delivery server 22.
- the delegation chain includes successive redirects between domains.
- the chain transmitted to the terminal 100 comprises a period of validity of the chain.
- the terminal 100 once it has this information (IP address of the data server 22, redirects and optional parameters of the delegation chain) can, as an alternative, establish a connection with the data server 22.
- the terminal 100 establishes a TLS connection with the data server 22 whose IP address specific to the domain co.cdn2.com, which was transmitted during step E10 , by issuing a TLS Client Hello message.
- the SNI (Server Name Indication) extension of the TLS client Hello message includes, for example, the domain name cdn.co.com because it is the domain initially requested by the terminal 100.
- the TLS Client Hello message includes in addition to the delegation chain received from the DNS resolver 50, thus indicating to the data server 22 that the terminal 100 requests it in accordance with a delegation chain received, and possibly approved by the domain cdn.co.com, the DNS resolver 50 and the terminal 100.
- the content of the TLS Client Hello message is as follows:
- the data server 22 transmits a connection acceptance message to the terminal 100. For example, it transmits a TLS Server Hello message to the terminal 100.
- the data server 22 sends a communication message of at least one certificate associated with the delegation chain to the terminal 100.
- This message is for example a TLS ServerCertificate message containing a certificate of the cdn.co.com domain and the full path of the certificate corresponding to the successive validations of the domains in the delegation chain.
- Terminal 10 adds a certificate for co.cdn2.com, and the delegation chain proving the delegation.
- Terminal 10 thus has a certificate from the domain co.cdn2.com, a delegation chain indicating successive redirects between domains and a suite of certificates ensuring the authenticity of the domains in the chain.
- the terminal can therefore safely use the certificate of the domain co.cdn2.com for the following exchanges between the terminal 100 and the data server 22 and in particular for exchanges relating to the exchanges of data encryption keys.
- the TLS serverCertificate message includes for example the following information:
- the terminal 100 will thus be able to use the delegated domain certificate, co.cdn2.com for "TLS Handshake" exchanges instead of the certificate from the original cdn.co.com domain.
- the invention thus made it possible to delegate the supply of an identifier of a data server to a terminal, the data server being in a domain distinct from the domain initially requested by the terminal, by successive redirects between intermediate domains. These redirects form a delegation chain developed by successive iteration between a resolution server and name servers from the different domains involved in the supply.
- the invention thus makes it possible to implement a dynamic and secure delegation between domains without requiring the exchange of private keys between the domains.
- the invention in fact allows the various domains to be able to intervene in the redirection process by the resolution server 50 without prior agreements, each of the domains determining as the redirects go the next domain in the chain and consequently modifying the delegation chain, until a domain decides or is able to transmit the identifier of the data server in its domain to the resolution server 50.
- the terminal can then use the chain information and the chain information authentication data to establish a secure session to the domain finally indicated in the chain.
- the information present in the delegation chain is only redirects between domains, but the chain can include additional data relating to the lifetime of the chain, to security data relating to the string, according to the information in the data blocks shown in Figure 2.
- the acquisition device 60 implements the acquisition method, of which various embodiments have just been described.
- Such a device 60 can be implemented in a terminal, such as a mobile terminal (smartphone, tablet, etc.) or a fixed terminal, such as a computer or even access equipment of a home network. or professional (box).
- the device 60 comprises a processing unit 630, equipped for example with an mR microprocessor, and controlled by a computer program 610, stored in a memory 620 and implementing the charging method according to the invention.
- the code instructions of the computer program 610 are for example loaded into a RAM memory, before being executed by the processor of the processing unit 630.
- Such a device 60 comprises:
- a receiver 64 capable of receiving, from a resolution server of a communication architecture, an information Info message comprising the identifier of the data server in a first domain, and further comprising a chain of delegation, including at least one redirection from a second domain to the first domain,
- a transmitter 63 capable of transmitting to the resolution server a request message for obtaining an identifier of the data server in the second domain and triggering the reception of the information message.
- the association device 80 implements the association method, various embodiments of which have just been described.
- Such an association device 80 can be implemented in a name resolver, for example a DNS resolver, and can be instantiated in a terminal, fixed or mobile or else in access equipment of a home or professional network. (box) or in specific equipment of an operator network.
- a name resolver for example a DNS resolver
- the device 80 comprises a processing unit 830, equipped for example with an mR microprocessor, and controlled by a computer program 810, stored in a memory 820 and implementing the charging method according to the invention.
- a computer program 810 stored in a memory 820 and implementing the charging method according to the invention.
- the code instructions of the computer program 810 are for example loaded into a RAM memory, before being executed by the processor of the processing unit 830.
- Such an association device 80 includes:
- a receiver 84 capable of receiving from the terminal a request message for obtaining an identifier of the data server in a second domain
- a determination module 82 capable of determining a delegation chain, comprising at least one redirection from the second domain to a first domain
- a transmitter 83 capable of transmitting an information message to the terminal, said message comprising the identifier of the data server in the first domain, and further comprising the determined delegation chain.
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR1873343A FR3091097A1 (en) | 2018-12-19 | 2018-12-19 | Method for acquiring a delegation chain relating to the resolution of a domain name identifier in a communication network |
PCT/FR2019/053027 WO2020128238A1 (en) | 2018-12-19 | 2019-12-11 | Method for acquiring a delegation chain relating to resolving a domain name identifier in a communication network |
Publications (1)
Publication Number | Publication Date |
---|---|
EP3900305A1 true EP3900305A1 (en) | 2021-10-27 |
Family
ID=67660147
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP19839392.8A Pending EP3900305A1 (en) | 2018-12-19 | 2019-12-11 | Method for acquiring a delegation chain relating to resolving a domain name identifier in a communication network |
Country Status (5)
Country | Link |
---|---|
US (1) | US11575644B2 (en) |
EP (1) | EP3900305A1 (en) |
CN (1) | CN113196722A (en) |
FR (1) | FR3091097A1 (en) |
WO (1) | WO2020128238A1 (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114422264A (en) * | 2022-02-23 | 2022-04-29 | 深圳市小满科技有限公司 | User website content access method and related equipment |
Family Cites Families (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6976090B2 (en) * | 2000-04-20 | 2005-12-13 | Actona Technologies Ltd. | Differentiated content and application delivery via internet |
US7562153B2 (en) * | 2000-05-12 | 2009-07-14 | AT&T Intellectual Property II, L. P. | Method and apparatus for content distribution network brokering and peering |
US20040044791A1 (en) * | 2001-05-22 | 2004-03-04 | Pouzzner Daniel G. | Internationalized domain name system with iterative conversion |
US20030093523A1 (en) * | 2001-11-15 | 2003-05-15 | Cranor Charles D. | Method for associating clients with domain name servers |
US7289519B1 (en) * | 2002-05-01 | 2007-10-30 | Cisco Technology, Inc. | Methods and apparatus for processing content requests using domain name service |
US8184641B2 (en) * | 2005-07-20 | 2012-05-22 | Verizon Business Global Llc | Method and system for providing secure communications between proxy servers in support of interdomain traversal |
US8713188B2 (en) * | 2007-12-13 | 2014-04-29 | Opendns, Inc. | Per-request control of DNS behavior |
BRPI0815605B1 (en) * | 2007-08-06 | 2020-09-15 | Bernard De Monseignat | METHOD FOR COMMUNICATING DATA USING A COMPUTER DEVICE; METHOD FOR GENERATING A SECOND VERSION OF A DATA COMMUNICATION COMPONENT USING A COMPUTER DEVICE; METHOD FOR COMMUNICATING DATA USING A COMPUTER DEVICE; METHOD FOR CREATING A CERTIFICATE USING A COMPUTER DEVICE; AND METHOD FOR USING A CERTIFICATE USING A COMPUTER DEVICE |
US8937908B2 (en) * | 2010-11-08 | 2015-01-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and apparatus for enabling DNS redirection in mobile telecommunication systems |
US9220051B2 (en) * | 2010-11-08 | 2015-12-22 | Telefonaktiebolaget L M Ericsson (Publ) | Method and apparatus for enabling DNS redirection in mobile telecommunication systems |
CA2824203C (en) * | 2011-01-12 | 2021-03-30 | Level 3 Communications, Llc | Customized domain names in a content delivery network (cdn) |
US20120185370A1 (en) * | 2011-01-14 | 2012-07-19 | Cisco Technology, Inc. | System and method for tracking request accountability in multiple content delivery network environments |
ES2425626B1 (en) * | 2011-05-12 | 2014-06-05 | Telefónica, S.A. | METHOD FOR DNS RESOLUTION OF CONTENT REQUESTS IN A CDN SERVICE |
US9973590B2 (en) * | 2011-11-26 | 2018-05-15 | Bing Wu | User identity differentiated DNS resolution |
US8909736B1 (en) * | 2012-07-12 | 2014-12-09 | Juniper Networks, Inc. | Content delivery network referral |
US20150089338A1 (en) * | 2013-09-25 | 2015-03-26 | Sony Corporation | System and methods for providing a network application proxy agent |
US10277554B2 (en) * | 2014-03-04 | 2019-04-30 | Cisco Technology, Inc. | Transparent proxy authentication via DNS processing |
WO2016025827A1 (en) * | 2014-08-15 | 2016-02-18 | Interdigital Patent Holdings, Inc. | Edge caching of https content via certificate delegation |
US20160380975A1 (en) * | 2015-06-24 | 2016-12-29 | Cisco Technology, Inc. | Domain Name Service Redirection for a Content Delivery Network with Security as a Service |
US9954816B2 (en) * | 2015-11-02 | 2018-04-24 | Nominum, Inc. | Delegation of content delivery to a local service |
GB2545748B8 (en) * | 2015-12-24 | 2019-09-18 | Num Tech Ltd | Methods, apparatuses, and computer programs for data processing, and hierarchical domain name system zone files |
US10708226B2 (en) * | 2016-01-29 | 2020-07-07 | Verisign, Inc. | Domain name resolution |
US10645057B2 (en) * | 2016-06-22 | 2020-05-05 | Cisco Technology, Inc. | Domain name system identification and attribution |
US10110614B2 (en) * | 2016-07-28 | 2018-10-23 | Verisign, Inc. | Strengthening integrity assurances for DNS data |
FR3061388A1 (en) * | 2016-12-23 | 2018-06-29 | Orange | METHODS OF VALIDATING DELIVERY OF CONTENT AND VERIFYING DELEGATION OF DELIVERY OF CONTENT, DEVICES AND CORRESPONDING COMPUTER PROGRAM PRODUCTS. |
FR3062013A1 (en) * | 2017-01-16 | 2018-07-20 | Orange | METHODS AND DEVICES FOR VERIFYING THE VALIDITY OF A DIFFUSION DELEGATION OF CONTENTS DIGITS |
CA3051471A1 (en) * | 2017-01-27 | 2018-08-02 | Level 3 Communications, Llc | System and method for scrubbing dns in a telecommunications network to mitigate attacks |
US10979387B2 (en) * | 2018-09-04 | 2021-04-13 | Level 3 Communications, Llc | Systems and methods for utilization of anycast techniques in a DNS architecture |
US10834114B2 (en) * | 2018-12-13 | 2020-11-10 | At&T Intellectual Property I, L.P. | Multi-tiered server architecture to mitigate malicious traffic |
FR3091096A1 (en) * | 2018-12-19 | 2020-06-26 | Orange | Method for determining a delegation chain associated with a resolution of a domain name in a communication network |
-
2018
- 2018-12-19 FR FR1873343A patent/FR3091097A1/en not_active Withdrawn
-
2019
- 2019-12-11 EP EP19839392.8A patent/EP3900305A1/en active Pending
- 2019-12-11 US US17/415,269 patent/US11575644B2/en active Active
- 2019-12-11 WO PCT/FR2019/053027 patent/WO2020128238A1/en unknown
- 2019-12-11 CN CN201980083518.7A patent/CN113196722A/en active Pending
Also Published As
Publication number | Publication date |
---|---|
CN113196722A (en) | 2021-07-30 |
WO2020128238A1 (en) | 2020-06-25 |
FR3091097A1 (en) | 2020-06-26 |
US11575644B2 (en) | 2023-02-07 |
US20220029952A1 (en) | 2022-01-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2514166B1 (en) | Access to a network for distributing digital content | |
EP3568966B1 (en) | Methods and devices for delegation of distribution of encrypted content | |
EP3568989A1 (en) | Methods and devices for checking the validity of a delegation of distribution of encrypted content | |
EP1762037A2 (en) | Method and system for certifying a user identity | |
WO2018115647A1 (en) | Validation of content delivery and verification of a delegation of delivery of a content | |
EP3900305A1 (en) | Method for acquiring a delegation chain relating to resolving a domain name identifier in a communication network | |
WO2020128239A1 (en) | Method for determining a delegation chain associated with a domain name resolution in a communication network | |
FR2826812A1 (en) | METHOD AND DEVICE FOR SECURING COMMUNICATIONS IN A COMPUTER SYSTEM | |
EP3149902B1 (en) | Technique for obtaining a policy for routing requests emitted by a software module running on a client device | |
WO2024083694A1 (en) | Method for processing a request to resolve at least one name identifier, and corresponding apparatus and computer program | |
EP4128717A1 (en) | Delegation of a naming identifier resolution function | |
WO2023083772A1 (en) | Control and transmission methods, and entities configured to implement these methods | |
EP2446608B1 (en) | Technique of access control by a client entity to a service | |
EP4173252A1 (en) | Method for controlling access to content implemented by a cache server | |
WO2007054657A2 (en) | Method and device for delivering a federation network identifier to a service provider | |
WO2021240098A1 (en) | Method for delegating the delivery of content items to a cache server | |
EP4241416A1 (en) | Method for delegating access to a blockchain | |
WO2024047128A1 (en) | Method, device and system for checking the validity of a message | |
EP4362391A1 (en) | Method for managing access of a user to at least one application, associated computer program and system | |
FR2964524A1 (en) | DATA PROCESSING FOR THE NOTIFICATION OF EQUIPMENT | |
FR2975552A1 (en) | METHOD, COMPUTER PROGRAM, AND COOPTATION DEVICE FOR A SUBSCRIBER OF A SERVICE TO SHARE THIS SERVICE WITH ANOTHER USER | |
EP2474141A1 (en) | Technique for evaluating the collaboration among nodes of a communication network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: UNKNOWN |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20210614 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
17Q | First examination report despatched |
Effective date: 20230719 |