DNS
Click on the red underlined text to get to the source
...
The DNS Security Extensions (DNSSEC) are a collection of new resource
records and protocol modifications that add data origin
authentication ...
... resource
records and protocol modifications that add data origin
authentication and data integrity to the DNS. This document defines
the DNSSEC protocol modifications. Section 2 of this document
...
... resource records.
The reader is also assumed to be familiar with the basic DNS concepts
described in [RFC1034], [RFC1035 ...
... DNSSEC introduces the concept of signed zones. A signed zone
includes DNS Public Key (DNSKEY), Resource Record ...
... of [RFC4034]). Public keys associated with other DNS operations MAY
be stored in DNSKEY RRs that are not marked as zone keys ...
... The DS resource record establishes authentication chains between DNS
zones. A DS RRset SHOULD be present at a delegation ...
... its corresponding DNSKEY RR are in different zones, and because the
DNS is only loosely consistent, temporary mismatches can occur.
The TTL ...
... delegated is signed and seeks to have a chain of authentication to
the parent zone. This is an exception to the original DNS
specification ([RFC1034]), which states that only NS ...
... appear at the parental side of a zone cut.
This specification updates the original DNS specification to allow
NSEC and DS RR types ...
... A security-aware name server that receives a DNS query that does not
include the EDNS OPT pseudo-RR ...
...
DNSSEC does not change the DNS zone transfer protocol. Section 3.1.5
discusses zone transfer requirements.
...
... name server for the
child zone is authoritative for the name at the zone cut by the
normal DNS rules but the child zone does not contain the DS RRset.
...
...
DNSSEC does not change the DNS zone transfer process. A signed zone
will contain RRSIG, DNSKEY ...
... (failure to re-sign a zone, clock skew, and so forth). Since
requerying will not help in these cases, validating resolvers might
generate a significant amount of unnecessary DNS traffic as a result
of repeated queries ...
... Authenticating DNS Responses ...
... start from an initial key
and use DS RRsets to proceed recursively down the DNS tree, obtaining
other apex DNSKEY RRsets. If the resolver were configured with a
...
... RRset might also differ from
the received RRset due to DNS name compression, decremented TTLs, or
...
... Domain Name field according to the canonical DNS name order
defined in [RFC4034], then no RRsets with the requested name exist
...
... NSEC RRs necessary
to verify the non-existence of the requested RRset. As with all DNS
operations, however, the resolver MUST bound the work it puts into
answering any particular query.
...
... AD bit are restated in this document. No new bits in
the DNS message header are defined in this document.
...
...
This document describes how the DNS security extensions use public
key cryptography to sign and authenticate DNS resource record ...
... DNS security extensions use public
key cryptography to sign and authenticate DNS resource record sets.
Please see [RFC4033] for terminology and general security
considerations ...
... An active attacker who can set the CD bit in a DNS query message or
the AD bit in a DNS response ...
... DNS query message or
the AD bit in a DNS response message can use these bits to defeat the
protection that DNSSEC ...
... This document was created from the input and ideas of the members of
the DNS Extensions Working Group and working group mailing list ...
... Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033prop, March 2005. ...
... Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for DNS Security Extensions", RFC 4034prop, March 2005. ...
... Wellington, B., "Secure Domain Name System (DNS) Dynamic Update", RFC 3007prop, November 2000. ...
... wildcard
RRset expanded as it would be in a traditional DNS response, and the
corresponding RRSIG indicates that the expanded wildcard ...