authentication
Click on the red underlined text to get to the source
... This memo proposes techniques based on the defined DNS security
mechanisms to authenticate DNS updates.
...
... Transaction SIGs appear at the end of a response. Transaction SIGs
authenticate the response and bind it to the corresponding request
with the key of the host where the responding DNS server ...
... host where the responding DNS server is. Request
SIGs appear at the end of a request and authenticate the request with
the key of the submitting entity.
...
... security is not automatically provided for dynamically added
RRs, where they could be omitted, and authentication is not provided
for the server denial of the existence of a dynamically added type.
Because the dynamicly added RRs ...
... KEY RR signatory field. Because dynamic data is only stored in the
online dynamic master file and only authenticated by dynamic keys
which expire, updates are transient in nature. Key rollover for an
entity ...
... For mode B, the zone owner key and master file are kept on-line at
the zone primary server. When authenticated updates succeed, SIGs
under the zone key for the resulting data (including the possible NXT ...
... on-line on
the net. This means that if the primary server is subverted, false
data could be authenticated to secondaries and other
servers/resolvers. On the other hand, this mode of operation means
that data added dynamically is more secure than in mode A. Dynamic
...
... RR signatory field. In addition, the incorporation of the updates
into the primary master file and their authentication by the zone key
makes then permanent in nature. Maintaining the zone key ...
... DNS) server receiving the request to confirm
this, the key or keys must be available to and authenticated by that
server as a specially flagged KEY Resource Record.
...
... RRs must be entity or user keys and not have the
authentication use prohibited bit on. All parts of the actual update
...
... RRs with the same owner name
and class that are authenticated by a SIG signed with a
different dynamic update ...
... signatures can appear in updates. Request signatures,
which are always required, cover the entire request and authenticate
the DNS header, including opcode, counts, etc., as well as the data.
...