1 - 2 - 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z

security

Click on the red underlined text to get to the source

... Domain Name System (DNS) protocol to support DNS security and public key distribution. It assumes that the reader is familiar with the Domain Name System ...

... data origin authentication, and transaction and request security they provide. ...

... DNS requests. Interactions between resolvers and servers are discussed for all combinations of security aware and security non-aware. Two additional query ...

... Interactions between resolvers and servers are discussed for all combinations of security aware and security non-aware. Two additional query header bits ...

... Section 9 provides a few paragraphs on overall security considerations. ...

2. Overview of the DNS Extensions

... The Domain Name System (DNS) protocol security extensions provide three distinct services: key distribution ...

... DNS data origin authentication and other security services. ...

... Under conditions described in Section 3.7, security aware DNS servers will automatically attempt to return KEY resources as additional ...

... there will be a single private key that signs for an entire zone. If a security aware resolver reliably learns the public key of the zone, it can verify, for signed data ...

... public key by reading it from DNS, the key itself must be signed. Thus, to provide a reasonable degree of security, the resolver must be configured with at least the public key of one zone that it can ...

... secure zone can not be authenticated if they are from non-security aware servers (see Section 2.3.5). ...

... trips to the server and performance will suffer. To avoid this, security aware servers mitigate that degradation by always attempting to send the signature(s) needed. ...

... RRs and delgation point NS RRs. A security aware server supporting the performance enhanced version ...

... performance enhanced version of the DNS protocol security extensions will attempt to return, with RRs retrieved, the corresponding SIGs. If a server does not support the protocol, the ...

... The above security mechanism provides only a way to sign existing RRs in a zone. "Data origin ...

... time-to-live. Unscrupulous servers under this scheme can manipulate the time to live but a security aware resolver will bound the TTL value it uses at the original ...

... database consistency mechanism and, in any case, non-security aware servers that depend on TTL must still be supported. ...

... DNS security would like to view each zone as a unit of data completely under the control of the zone owner and signed by the zone's key. But the operational DNS ...

... There is a significant problem when security related RRs with the same owner name as a CNAME ...

... same owner name as a CNAME RR are retrieved from a non-security-aware server. In particular, an initial retrieval for the CNAME or any ...

... In general, security aware servers MUST be used to securely CNAME in DNS ...

... CNAME in DNS. Security aware servers must (1) allow KEY, SIG, and NXT RRs ...

... The private keys used in transaction and request security belongs to the host composing the request or reply message ...

3. The KEY Resource Record

... authenticated by a SIG RR. Security aware DNS implementations MUST be designed to handle at least two ...

... authentication and/or confidentiality is permitted. Note that DNS security makes use of keys for authentication only. Confidentiality ...

... bit will be one. If this bit is a zero, it means that the use or availability of security based on the key is "mandatory". Thus, if this bit is off for a zone key ...

... or end entity, it might sometimes operate in a secure mode and at other times operate without security. The experimental bit, like all ...

... domain and the user bit a one. It could be used in an security protocol where authentication of a user was desired. This key might be useful in IP ...

... authentication of a user was desired. This key might be useful in IP or other security for a user level service such a telnet, ftp, ...

... host. It could also be used in an IP-security protocol where authentication of at the host ...

... that this key is valid for use in conjunction with that security standard. This key could be used in connection with secured ...

... valid for use in conjunction with MIME security multiparts. This key could be used in connection with secured communication on ...

... algorithm" for use where the expiration date or other labeling fields of SIGs are desired without any actual security. It is anticipated that this algorithm will only be used in connection ...

... 0 0 0 Illegal, claims key but has bad algorithm field. 0 0 1 Specifies total lack of security for owner. 0 x 0 Illegal, claims key but has bad algorithm field. ...

... x 0 1 Useless. Denies key but for no protocols. x x 0 Specifies key for protocols and asserts that those protocols are implemented with security. x x 1 Algorithm not understood for protocol. ...

... SIG RR from a security aware server. ...

... Security aware DNS servers MUST include KEY RRs as additional ...

4. The SIG Resource Record

... Domain Name System (DNS). As such it is the heart of the security provided. ...

... signature fields of the SIG are desired without any actual security. It is anticipated that this algorithm will only be used in connection ...

... authentication problems that caching servers would otherwise cause by decrementing the real TTL field and (2) security problems that unscrupulous servers could otherwise cause by manipulating the real TTL ...

... For purposes of DNS security, the canonical form for an RR is the RR ...

... For purposes of DNS security, the canonical order for RRs is to sort ...

... RRs of a particular name, class and type. However, to efficiently assure the completeness and security of zone transfers, a SIG RR ...

... A response message from a security aware server may optionally contain a special SIG as the last item in the additional information ...

... Security aware DNS servers MUST, for every authoritative RR the query ...

... 1. a security aware resolver that receives a response from what it believes to be a security aware server via a secure communication ...

... 1. a security aware resolver that receives a response from what it believes to be a security aware server via a secure communication with the AD bit (see Section 6.1) set, MAY choose to accept the ...

... RRs. 2. in other cases, a security aware resolver SHOULD verify the SIG RRs ...

... Implementers might expect the above SHOULD to be a MUST. However, local policy or the calling application may not require the security services. 3. If SIG ...

... Security aware servers must not consider SIG RRs to authenticate ...

5. Non-existent Names and Types

... SIG are returned in the authority section, along with the error, if the server is security aware. The same is true for a non-existent type under an existing name. This is a change in the existing standard which contemplates only NS ...

... NXT records in a zone means that any query for any name and any type to a security aware server serving the zone will always result in an reply containing at least one signed RR ...

... Then a query to a security aware server for huge.foo.tld would produce an error reply with the authority section data including ...

... by their signers and next domain name fields. Security aware servers should return the correct NXT automatically when required to ...

6. The AD and CD Bits and How to Resolve Securely

... public keys would normally be configured in a manner similar to that described in Section 6.2. However, as a practical matter, a security aware resolver would still gain some confidence in the results it returns even if it was not configured with any keys but trusted what it got from a local well known server as a starting ...

... Data stored at a security aware server needs to be internally categorized as Authenticated, Pending, or Insecure. There is also a ...

... have explicitly failed on the data. Such Bad data is not retained at a security aware server. Authenticated means that the data has a valid ...

... of old servers are not flagged as authenticated to security aware resolvers and queries from non-security ...

... security aware resolvers and queries from non-security aware resolvers do not assert the checking disabled bit ...

... the checking disabled bit and thus will be answered by security aware servers only with authenticated data. Aware resolvers MUST not trust ...

... either have a secure path to it or use DNS transaction security. ...

... Any security aware resolver willing to do cryptography SHOULD assert the CD bit ...

... DNS latency time by allowing security aware servers to answer before they have resolved the validity of data. ...

... Security aware servers NEVER return Bad data. For non-security aware ...

... Security aware servers NEVER return Bad data. For non-security aware resolvers or security aware resolvers requesting service ...

... Bad data. For non-security aware resolvers or security aware resolvers requesting service by having the CD bit ...

... service by having the CD bit clear, security aware servers MUST return only Authenticated or Insecure data with the AD bit ...

... Authenticated or Insecure data with the AD bit set in the response. Security aware resolvers will know that if data is Insecure versus Authentic by the absence of SIG RRs ...

... Authentic by the absence of SIG RRs. Security aware servers MAY return Pending data to security aware resolvers requesting the ...

... RRs. Security aware servers MAY return Pending data to security aware resolvers requesting the service by clearing the AD bit ...

... A security conscious resolver should completely refuse to step from a secure zone into a non-secure ...

... reached via non-secure zones is a good practice and will, as a practical matter, provide some small increase in security. ...

... that reasonably consistent time be available to the hosts implementing the DNS security extensions. ...

7. Operational Considerations

... There are a number of factors that effect public key size choice for use in the DNS security extension. Unfortunately, these factors usually do not all point in the same direction. Choice of zone key ...

... with the fourth power of the modulus length. The current best algorithms for factoring a modulus and breaking RSA security vary roughly with the 1.6 power of the modulus itself. Thus going from a 640 bit ...

... for the MD5/RSA DNS security algorithm for interoperability purposes. ...

... DNS tree may wish to set a higher minimum, perhaps 1000 bits, for security reasons. (Since the United States National Security Agency generally permits export of encryption ...

... bits, for security reasons. (Since the United States National Security Agency generally permits export of encryption systems using an RSA modulus ...

... be tampered with if the host it resides on is compromised. For maximum security, the master copy of the zone file should be off net and should not be updated based on an unsecured network mediated ...

... DNS transaction security, IPSEC session set-up ...

... lifetime for end entity and useer keys that are used for IP-security or the like and are kept on line is 36 days with the intent that they be replaced monthly or more often. In some cases, an entity ...

8. Conformance

... RRs in responses, (4) suppression of CNAME following on retrieval of the security type RRs, (5) recognize the CD ...

... NXT RRs from non-security aware servers, (4) normally sets the CD query ...

9. Security Considerations

... Security Considerations ...

... public key distribution, and optional transaction and request security. ...

... resource records, retrieved from the DNS. They do not magically solve other security problems. For example, using secure DNS you can have high confidence in the IP address ...

... responding with packets apparently from that address. Any reasonably complete security system will require the protection of many additional facets of the Internet. ...

10. References

... - Network Security: PRIVATE Communications in a PUBLIC World, Charlie Kaufman, Radia Perlman, & Mike Speciner, Prentice Hall Series in Computer Networking and Distributed Communications 1995. ...

... - PKCS #1: RSA Encryption Standard, RSA Data Security, Inc., 3 June 1991, Version 1.4. ...

... - Eastlake, D., Crocker, S., and J, Schiller, "Randomness Requirements for Security", RFC 1750(-> 4086), December 1994. ...

... - Atkinson, R., "Security Architecture for the Internet Protocol", RFC 1825(-> 2401(-> 4301^prop)), August 1995. ...

1 - 2 - 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z

Previous | Next

Frontpage | Contents | Keywords

RFC-Ref.org

Sister Sites

Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org