authentication
Click on the red underlined text to get to the source
...
The DNS security extensions provide origin authentication and
integrity protection for DNS data, as well as a means of public key
...
... of another DNSKEY RR and this new DNSKEY RR is authenticated by
matching the hash in the DS RR ...
... DS RR. This new DNSKEY RR in turn
authenticates another DNSKEY RRset and, in turn, some DNSKEY RR ...
... RRset and, in turn, some DNSKEY RR in
this set may be used to authenticate another DS RR, and so forth
until the chain finally ends with a DNSKEY RR ...
... public key that a security-aware resolver has
verified and can therefore use to authenticate data. A
security-aware resolver can obtain authentication keys ...
... authenticate data. A
security-aware resolver can obtain authentication keys in three
ways. First, the resolver is generally configured to know about
at least one public key ...
... DS RR (see "trust anchor"). Second, the resolver may use an
authenticated public key to verify a DS RR and the DNSKEY RR ...
... public key that the resolver has
verified. Note that the resolver must always be guided by local
policy when deciding whether to authenticate a new public key,
even if the local policy is simply to authenticate ...
... authenticate a new public key,
even if the local policy is simply to authenticate any new public
key for which the resolver is able verify the signature.
...
... Island of Security: Term used to describe a signed, delegated zone
that does not have an authentication chain from its delegating
parent. That is, there is no DS RR containing a hash ...
... security is served by security-aware name servers and
may provide authentication chains to any delegated child zones.
Responses from an island of security or its descendents can only
...
... Responses from an island of security or its descendents can only
be authenticated if its authentication keys can be authenticated
...
... security or its descendents can only
be authenticated if its authentication keys can be authenticated
by some trusted means out of band from the DNS ...
... be authenticated if its authentication keys can be authenticated
by some trusted means out of band from the DNS protocol.
...
... Key Signing Key (KSK): An authentication key that corresponds to a
private key used to sign one or more other authentication keys ...
... authentication key that corresponds to a
private key used to sign one or more other authentication keys for
a given zone. Typically, the private key corresponding to a key
...
... period in order to provide a more stable secure entry point into
the zone. Designating an authentication key as a key signing key
is purely an operational issue: DNSSEC validation ...
... signing keys and other DNSSEC
authentication keys, and it is possible to use a single key as
both a key signing key and a zone signing key ...
... hash as
a starting point for building the authentication chain to a signed
DNS response. In general, a validating resolver will have to
...
... Zone Signing Key (ZSK): An authentication key that corresponds to a
private key used to sign a zone. Typically, a zone signing key ...
... validity
lifetime. Designating an authentication key as a zone signing key
is purely an operational issue; DNSSEC validation ...
... zone signing keys and other DNSSEC
authentication keys, and it is possible to use a single key as
both a key signing key and a zone signing key ...
... DNS) security extensions provide origin
authentication and integrity assurance services for DNS data,
...
... services for DNS data,
including mechanisms for authenticated denial of existence of DNS
data. These mechanisms are described below.
...
... Data Origin Authentication and Data Integrity ...
...
DNSSEC provides authentication by associating cryptographically
generated digital signatures with DNS ...
... security-aware resolver reliably learns a zone's public key, it can
authenticate that zone's signed data. An important DNSSEC concept is
...
... Public
keys for DNS transaction authentication mechanisms may also appear in
zones, as described in [RFC2931], but DNSSEC ...
... resolution, the target key itself has to be signed by either a
configured authentication key or another key that has been
authenticated ...
... authentication key or another key that has been
authenticated previously. Security-aware resolvers authenticate zone
...
... authenticated previously. Security-aware resolvers authenticate zone
information by forming an authentication chain from a newly learned
...
... Security-aware resolvers authenticate zone
information by forming an authentication chain from a newly learned
public key back to a previously known authentication ...
... authentication chain from a newly learned
public key back to a previously known authentication public key,
which in turn either has been configured into the resolver or must
...
... trust anchor is a zone signing key, then it will
authenticate the associated zone; if the configured key is a key
signing key, it will authenticate ...
... authenticate the associated zone; if the configured key is a key
signing key, it will authenticate a zone signing key. If the
configured trust anchor ...
... DNS query. To
help security-aware resolvers establish this authentication chain,
security-aware name servers attempt to send the signature ...
... security-aware name servers attempt to send the signature(s) needed
to authenticate a zone's public key(s) in the DNS reply message ...
... DNSKEY RRset to sign the child zone's data. The
typical authentication chain is therefore
DNSKEY->[DS ...
... DS->DNSKEY subchains. DNSSEC permits more complex authentication
chains, such as additional layers of DNSKEY RRs signing ...
...
A security-aware resolver normally constructs this authentication
chain from the root of the DNS ...
... security mechanism described in Section 3.1 only provides a way
to sign existing RRsets in a zone. The problem of providing negative
responses with the same level of authentication and integrity
requires the use of another new resource record type, the NSEC
record ...
... NSEC record allows a security-aware resolver to
authenticate a negative reply for either name or type non-existence
with the same mechanisms used to authenticate other DNS ...
... authenticate a negative reply for either name or type non-existence
with the same mechanisms used to authenticate other DNS replies. Use
of NSEC records ...
... the types of RRsets present at existing names. Each NSEC record is
signed and authenticated using the mechanisms described in Section
3.1.
...
...
The DNS security extensions provide data and origin authentication
for DNS data. The mechanisms outlined above are not designed to
...
... mandatory-to-implement algorithm(s). Security-aware resolvers must
also be capable of forming an authentication chain from a newly
learned zone back to an authentication key, as described above. This
...
... also be capable of forming an authentication chain from a newly
learned zone back to an authentication key, as described above. This
process might require additional queries to intermediate DNS zones ...
... trust anchor as the
starting point from which it will attempt to establish authentication
chains.
...
... name servers and its communication channel to them may choose to
examine the setting of the Authenticated Data (AD) bit in the message
header ...
...
The "Transaction Authentication Protocol" document set refers to the
group of documents that deal with DNS ...
... group of documents that deal with DNS message authentication,
including secret key establishment and verification ...
... security records and DNS protocol
modifications. The extensions provide data origin authentication and
data integrity using digital signatures ...
... name server that is not security-aware. If there is a break in the
authentication chain such that a security-aware resolver cannot
obtain and validate ...
... security-aware resolver cannot
obtain and validate the authentication keys it needs, then the
security-aware resolver cannot validate ...
... RRs in the parent
zone) are not signed. This does not pose a problem when validating
the authentication chain, but it does mean that the non-authoritative
data itself is vulnerable to tampering during zone transfer
operations. Thus, while DNSSEC ...
... data itself is vulnerable to tampering during zone transfer
operations. Thus, while DNSSEC can provide data origin
authentication and data integrity for RRsets, it cannot do so for
zones, and other mechanisms (such as TSIG ...
... Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B. Wellington, "Secret Key Transaction Authentication for DNS (TSIG)", RFC 2845prop ...
... Wellington, B. and O. Gudmundsson, "Redefinition of DNS Authenticated Data (AD) bit", RFC 3655(-> 4035prop | 4034prop | 4033prop) ...