public key
Click on the red underlined text to get to the source
... DNS security extensions provide origin authentication and
integrity protection for DNS data, as well as a means of public key
distribution. These extensions do not provide confidentiality.
...
... Authentication Chain: An alternating sequence of DNS public key
(DNSKEY) RRsets and Delegation Signer ...
...
Authentication Key: A public key that a security-aware resolver has
verified and can therefore use to authenticate ...
... authentication keys in three
ways. First, the resolver is generally configured to know about
at least one public key; this configured data is usually either
the public key itself or a hash ...
... at least one public key; this configured data is usually either
the public key itself or a hash of the public key as found in the
...
... trust anchor"). Second, the resolver may use an
authenticated public key to verify a DS RR and the DNSKEY RR to
...
... which the DS RR refers. Third, the resolver may be able to
determine that a new public key has been signed by the private key
corresponding to another public key ...
... public key has been signed by the private key
corresponding to another public key that the resolver has
verified. Note that the resolver must always be guided by local
policy when deciding whether to authenticate ...
... verified. Note that the resolver must always be guided by local
policy when deciding whether to authenticate a new public key,
even if the local policy is simply to authenticate any new public
key ...
... public key,
even if the local policy is simply to authenticate any new public
key for which the resolver is able verify the signature.
...
... algorithms. If a
security-aware resolver reliably learns a zone's public key, it can
authenticate that zone's signed data ...
...
A security-aware resolver can learn a zone's public key either by
having a trust anchor configured into the resolver or by normal DNS ...
... private keys
used to sign zone data must be kept secure and should be stored
offline when practical. To discover a public key reliably via DNS
resolution, the target ...
... information by forming an authentication chain from a newly learned
public key back to a previously known authentication public key,
...
... public key back to a previously known authentication public key,
which in turn either has been configured into the resolver or must
have been learned and verified previously. Therefore, the resolver
...
... DNS reply message along
with the public key itself, provided that there is space available in
the message.
...
... RRset resides at a delegation
point in a parent zone and indicates the public key(s) corresponding
to the private key(s) used to self-sign the DNSKEY ...
... root of the DNS hierarchy down to the leaf zones based
on configured knowledge of the public key for the root. Local
policy, however, may also allow a security-aware ...
... public keys) other than
the root public key, may not provide configured knowledge of the root
public key ...
... public key, may not provide configured knowledge of the root
public key, or may prevent the resolver from using particular public
keys for arbitrary reasons, even if those public keys are properly
...