1 - 2 - 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z
authentication
Click on the red underlined text to get to the source
...
Section 2 provides an overview of the extensions and the key
distribution, data origin authentication, and transaction and request
security ...
... DNS responses, and file representation. These
resource records are used to authenticate other resource records in
the DNS ...
... resource record and its use in DNS
responses. The NXT RR permits authenticated denial in the DNS of the
existence of a name or of a particular type for an existing name.
...
... services: key distribution as described in Section 2.2
below, data origin authentication as described in Section 2.3 below,
and transaction and request authentication ...
... data origin authentication as described in Section 2.3 below,
and transaction and request authentication, described in Section 2.4
below.
...
... public key distribution
mechanism in support of the DNS data origin authentication and other
security services.
...
... Data Origin Authentication and Integrity ...
...
This data origin authentication key belongs to the zone and not to
the servers that store copies of the data. That means compromise of
a server or even all servers for a zone will not necessarily affect
...
... be configured with at least the public key of one zone that it can
use to authenticate signatures. From there, it can securely read the
public keys ...
... CNAME referrals from a secure zone can not be
authenticated if they are from non-security aware servers (see
Section 2.3.5).
...
... If signatures are always separately retrieved and verified when
retrieving the information they authenticate, there will be more
trips to the server and performance will suffer. To avoid this,
...
... RRs
in a zone. "Data origin" authentication is not obviously provided
for the non-existence of a domain name in a zone or the non-existence
...
... dynamic update
where an entity is permitted to authenticate/update its own records.
The public key ...
... entity's key. The other is for support of transaction and request
authentication as described in Section 2.4 immediately below.
...
... header bits are falsely set by a server, there is little that can
be done. However, it is possible to add transaction authentication.
Such authentication means that a resolver can be sure it is at least
...
... transaction authentication.
Such authentication means that a resolver can be sure it is at least
getting messages from the server it thinks it queried, that the
response is from the query ...
...
Because requests and replies are highly variable, message
authentication SIGs can not be pre-calculated. Thus it will be
necessary to keep the private key on-line ...
... Bit 0 and 1 are the key "type" field. Bit 0 a one indicates
that use of the key is prohibited for authentication. Bit 1 a one
indicates that use of the key is prohibited for confidentiality ...
... indicates that use of the key is prohibited for confidentiality. If
this field is zero, then use of the key for authentication and/or
confidentiality is permitted. Note that DNS security ...
... confidentiality is permitted. Note that DNS security makes use of
keys for authentication only. Confidentiality use flagging is
provided for use of keys in other protocols. Implementations not
...
... bit a one. It could be used in an security protocol where
authentication of a user was desired. This key might be useful in IP
or other security ...
... could also be used in an IP-security protocol where authentication of
at the host, rather than user, level was desired, such as routing ...
... resource record (RR) is the fundamental way
that data is authenticated in the secure Domain Name System (DNS). As
...
... TTL" field is included in the RDATA portion to avoid
(1) authentication problems that caching servers would otherwise
cause by decrementing the real TTL field and (2) security problems ...
... signature. It is frequently the zone which contained
the RR(s) being authenticated. The signer's name may be compressed
with standard DNS name ...
... class. These
covered RRs are thereby authenticated. To accomplish this, a data
sequence is constructed as follows:
...
... easily recovered. This weakness is not significant for DNS because
we seek only authentication, not confidentiality.
...
...
The above SIG mechanisms assure the authentication of all zone signed
RRs of a particular name, class ...
... verification of the
internal zone signed SIGs in the zone; however, any RRs authenticated
by SIGs signed by entity keys or the like MUST still be validated ...
... contain a special SIG as the last item in the additional information
section to authenticate the transaction.
...
... DNS servers to completely ignore a
query. However, such SIGs may be needed to authenticate future DNS
secure dynamic update ...
... will return, attempt to send the available SIG RRs which authenticate
the requested RR. The following rules apply to the inclusion of SIG ...
... ignored. If all of the SIG RR(s) purporting to authenticate a set of
RRs are invalid, then the set of RR ...
... the checks fail. But even if the checks succeed, such a transaction
authentication SIG does NOT authenticate any RRs ...
... authority to the zone or to static resolver configuration can
authenticate RRs. If a resolver does not implement transaction
...
... Security aware servers must not consider SIG RRs to authenticate
anything after their expiration time and not consider any RR to be
...
... anything after their expiration time and not consider any RR to be
authenticated after its signatures have expired. Within that
constraint ...
... SIG RR in a file as they are a transient
authentication that covers data including an ephemeral transaction
number and so must be calculated in real time.)
...
... SIG RR mechanism described in Section 4 above provides strong
authentication of RRs that exist in a zone. But is it not clear
above how to authenticatably deny the existence of a name in a zone
...
... what real names exist in the zone. This protection from pseudo-zone
transfers is bought at the expense of eliminating the data origin
authentication of the non-existence of names that NXT RRs can
...
... should return the correct NXT automatically when required to
authenticate the non-existence of a name and both NXTs, if available,
on explicit query for type NXT ...
... Data stored at a security aware server needs to be internally
categorized as Authenticated, Pending, or Insecure. There is also a
fourth transient state of Bad which indicates that all SIG ...
... Bad data is not retained at
a security aware server. Authenticated means that the data has a
valid SIG ...
... KEY RRs to a KEY configured at the resolver via its boot file.
Pending data has no authenticated SIGs and at least one additional
SIG the resolver is still trying to authenticate ...
... authenticated SIGs and at least one additional
SIG the resolver is still trying to authenticate. Insecure data is
data which it is known can never be either Authenticated or found Bad
...
... SIG the resolver is still trying to authenticate. Insecure data is
data which it is known can never be either Authenticated or found Bad
because it is in or has been reached via a non-secured zone. Behavior
in terms of control of and flagging based on such data labels is
...
... old servers and resolvers. Thus the responses
of old servers are not flagged as authenticated to security aware
resolvers and queries ...
... bit and thus will be answered by security aware
servers only with authenticated data. Aware resolvers MUST not trust
the AD bit ...
... CD bit clear, security aware servers MUST return only
Authenticated or Insecure data with the AD bit set in the response.
Security ...
... be set on a response unless all of the RRs in the response are either
Authenticated or Insecure.
...
... certified to be non-secure, or only experimentally secure, by the
presence of an authenticated KEY RR for the non-secure zone with the
...
... network connected physically
secure machines only. Periodically an application can be run to add
authentication to a zone by adding SIG and NXT RRs ...
... on-line public key information (or a secure path to such a
resolver) or they will be unable to authenticate.
...
... database to indicate which RRs have been authenticated and to what
extent they have been authenticated, (3) performs additional
...
... RRs have been authenticated and to what
extent they have been authenticated, (3) performs additional
queries as necessary to attempt to obtain KEY, SIG ...
... DNS) protocol to provide data integrity and origin
authentication, public key distribution, and optional transaction and
...