1 - 2 - 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z

query

Click on the red underlined text to get to the source

... security aware and security non-aware. Two additional query header bits are defined for signaling between ...

... In addition, no effort has been made to provide for any confidentiality for queries or responses. (This service may be available via IPSEC ...

... information, along with those resource records actually requested, to minimize the number of queries needed. ...

... CNAME or CNAMEs encountered in resolving a query. This is a change from the previous DNS standard which prohibited any other RR ...

... authentication means that a resolver can be sure it is at least getting messages from the server it thinks it queried, that the response is from the query it sent, and that these messages have not been diddled in transit. This is accomplished by optionally adding a special SIG ...

... signs the concatenation of the server's response and the resolver's query. ...

4. The SIG Resource Record

... DNS header but not the IP header, concatenated with the entire DNS query message that produced this response, including the query's DNS header ...

... IP header, concatenated with the entire DNS query message that produced this response, including the query's DNS header but not its IP header ...

... data = full response (less final transaction SIG) | full query ...

... host key, not the zone key) by the requesting resolver shows that the query and response were not tampered with in transit, that the response corresponds to the intended query, and that the response ...

... query and response were not tampered with in transit, that the response corresponds to the intended query, and that the response comes from the queried server. ...

... A DNS request may be optionally signed by including one or more SIGs at the end of the query. Such SIGs are identified by having a "type covered" field of zero. They sign the preceding DNS request message ...

... WARNING: Request SIGs are unnecessary for currently defined queries and will cause almost all existing DNS servers to completely ignore a ...

... and will cause almost all existing DNS servers to completely ignore a query. However, such SIGs may be needed to authenticate future DNS ...

... Security aware DNS servers MUST, for every authoritative RR the query will return, attempt to send the available SIG RRs ...

... RRs for the RRs of interest. This may involve initiating additional queries for SIG or KEY RRs, especially in the case of ...

... 3. If SIG RRs are received in response to a user query explicitly specifying the SIG type, no special processing is required. ...

... transaction signature of the response and the query that produced the response. It MAY be optionally checked and the message rejected if the checks fail. But even if the checks succeed, such a transaction ...

... TTL is zero. In addition, when RRs are transmitted in a query response, the TTL should be trimmed so that current time plus the TTL ...

5. Non-existent Names and Types

... section. NXT RRs will also be returned if an explicit query is made for the NXT type. ...

... The existence of a complete set of NXT records in a zone means that any query for any name and any type to a security aware server serving the zone will always result in an reply containing at least ...

... Then a query to a security aware server for huge.foo.tld would produce an error reply with the authority ...

... SIG) RR appear in the response to this query for huge.foo.tld, which is a non-existent name. ...

... authority information in connection with a query for a non-existent name. ...

... In a secure zone, a resolver can query for the initial NXT associated with the zone name. Using the next domain name ...

... RDATA field from that RR, it can query for the next NXT RR. By repeating this, it can walk through all the NXTs in the zone. If there are no wildcards ...

... wildcards, it can use this technique to find all names in a zone. If it does type ANY queries, it can incrementally get all information in the zone and thus defeat attempts to administratively block zone transfers. ...

... authenticate the non-existence of a name and both NXTs, if available, on explicit query for type NXT. ...

... implementations may only return the NXT from the subzone on explicit queries. ...

6. The AD and CD Bits and How to Resolve Securely

... Two previously unused bits are allocated out of the DNS query/response format header. The AD ...

... CD (checking disabled) bit indicates in a query that non-verified data is acceptable to the resolver sending the query ...

... query that non-verified data is acceptable to the resolver sending the query. ...

... authenticated to security aware resolvers and queries from non-security aware resolvers do not assert the checking disabled ...

... cryptography SHOULD assert the CD bit on all queries to reduce DNS latency time by allowing ...

... general, the lower such a distance number is, the greater the confidence in the data. Data configured via a boot file directive should be given a distance number of zero. If a query encounters different data for the same query with different distance values, ...

... should be given a distance number of zero. If a query encounters different data for the same query with different distance values, that with a larger value should be ignored. ...

8. Conformance

... RRs, (5) recognize the CD query header bit and set the AD query ...

... query header bit and set the AD query header bit, as appropriate, and (6) proper handling of the two NXT ...

... extent they have been authenticated, (3) performs additional queries as necessary to attempt to obtain KEY, SIG, or NXT RRs ...

... from non-security aware servers, (4) normally sets the CD query header bit on its queries ...

... query header bit on its queries. ...

1 - 2 - 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z

Previous | Next

Frontpage | Contents | Keywords

RFC-Ref.org

Sister Sites

Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org