authentication
Click on the red underlined text to get to the source
... DNS has recently been
extended [RFC2535] to provide for data origin authentication, and
public key distribution, all based on public key cryptography ...
... security generally requires extensive local caching of keys and
tracing of authentication through multiple keys and signatures to a
pre-trusted locally configured key.
...
... host. It is impractical for these stub resolvers to perform
general [RFC2535] authentication and they would naturally depend on
their caching DNS server to perform such services ...
... In general, these require the same complex public key logic that is
impractical for stubs. This document specifies use of a message
authentication code (MAC), specifically HMAC-MD5 (a keyed hash
function ...
... keyed hash
function), to provide an efficient means of point-to-point
authentication and integrity checking for transactions.
...
... computationally expensive public key cryptography and complex
authentication logic. Secure Domain Name System Dynamic Update
...
... secret key based MACs can be used to
authenticate DNS update requests as well as transaction ...
...
1.5. The authentication mechanism proposed in this document uses
shared secret keys to establish a trust ...
... parties (forge MACs). There is an urgent need to provide simple and
efficient authentication between clients and local servers and this
proposal addresses ...
... proposal addresses that need. This proposal is unsuitable for
general server to server authentication for servers which speak with
many other servers, since key management would become unwieldy with
...
... forwarder"
in common usage -- might use transaction-based authentication when
communicating with its small number of preconfigured "upstream"
...
... servers. Other uses of DNS secret key authentication and possible
systems for automatic secret key distribution may be proposed in
...
... MUST not be cached. TSIG RRs are used for authentication between DNS
entities that have established a shared secret key ...
... TSIG RR is
discarded once it has been used to authenticate a DNS message. The
only message digest ...
... this reason, a host that implements transaction-based authentication
should probably be configured with a "stub resolver" and a local
caching and forwarding name server ...
... RFC2535]. As long as the
shared secret key is not compromised, strong authentication is
provided for the last hop from a local name server ...
...
6.3. This mechanism does not authenticate source data, only its
transmission between two parties who share some secret. The original
source data can come from a compromised zone master or can be
...
... Krawczyk, H., Bellare, M. and R. Canetti, "HMAC-MD5: Keyed-MD5 for Message Authentication", RFC 2104, February 1997. ...