DNS
Click on the red underlined text to get to the source
... RFC2845]
protocol was developed to provide a lightweight authentication and
integrity of messages between two DNS entities, such as client and
server or server and server. TSIG can be used to protect dynamic
update ...
... by the Client and Server as a part
of the TSIG records exchanged in DNS messages sent between the
Client and Server, as described in [RFC2845 ...
... response in an explicitly specified place in multi message exchange
between two DNS entities even if client's request wasn't signed.
...
... process the current request.
DNS client and server MAY use various underlying security mechanisms
...
... security context as described in sections 3 and 4. At
the same time, in order to guarantee interoperability between DNS
clients and servers that support GSS ...
... CONTEXT HANDLE input_context_handle = 0
INTERNAL NAME targ_name = "DNS@<target_server_name>"
...
... Upon the reception of the TKEY query the DNS server MUST respond
according to the description in Section 4. This section specifies
the behavior of the client ...
... by the policy local to the client. This is a new option that allows
the DNS client to accept multiple answers for one query ID and select
...
... query response with a TKEY
record in the Answer section. If the DNS message error is not
NO_ERROR or error field in the TKEY ...
... delete the established context on
the DNS server by using TKEY RR with the Mode field set to 5, i.e.,
...
... RFC2845]. The data to be passed to the signature routine
includes the whole DNS message with specific TSIG variables appended.
For the exact format, see [RFC2845 ...
... CONTEXT HANDLE input_context_handle = 0
INTERNAL NAME targ_name = "DNS@server.example.com"
OCTET STRING input_token = NULL
...
... client stores context_handle that
maps to "DNS@server.example.com" and proceeds to the next step.
II. Client ...
... context_handle stored
in the client's mapping table entry (DNS@server.example.com.,
789.client.example.com.server.example.com., context ...
... client.example.com.server.example.com., context_handle)
INTERNAL NAME targ_name = "DNS@server.example.com"
OCTET STRING input_token = token ...
... RFC2478] enables client
and server to negotiate and choose such underlying security
mechanisms on the fly. To support such flexibility, DNS clients and
servers SHOULD specify SPNEGO mech_type in their GSS ...
...
the same time, in order to guarantee interoperability between DNS
clients and servers that support GSS ...
... In addition to these, GSS APIs used by DNS client and server MAY also
support other underlying security mechanisms ...