DNS
Click on the red underlined text to get to the source
... Dynamic update operations have been defined for the Domain Name
System (DNS) in RFC 2136prop, but without a detailed description of
security ...
... 2136prop, but without a detailed description of
security for those updates. Means of securing the DNS and using it
for key distribution have been defined in RFC 2065(-> 2535(-> 4035prop | 4034prop | 4033prop)) ...
...
This memo proposes techniques based on the defined DNS security
mechanisms to authenticate DNS ...
... RFC1034, RFC1035] is assumed.
Familiarity with the DNS security and dynamic update proposals will
be helpful.
...
... Overview of DNS Dynamic Update ...
... DNS dynamic update defines a new DNS opcode, new DNS request and
response structure if that opcode is used, and new error codes ...
... DNS dynamic update defines a new DNS opcode, new DNS request and
response structure if that opcode is used, and new error codes. An
...
... RRs)
with one or more owner names; however, all testing and changes for
any particular DNS update request are restricted to a single zone.
Updates occur at the primary server for a zone.
...
... Overview of DNS Security ...
... DNS security authenticates data in the DNS by also storing digital
signatures in the DNS as SIG ...
... authenticates data in the DNS by also storing digital
signatures in the DNS as SIG resource records (RRs ...
... authenticate the response and bind it to the corresponding request
with the key of the host where the responding DNS server is. Request
SIGs appear at the end of a request and authenticate the request with
...
... RRs. KEY RRs for zones are stored in their superzone and subzone
servers, if any, so that the secure DNS tree of zones can be
traversed by a security ...
...
A dynamic secure zone is any secure DNS zone containing one or more
KEY RRs that can authorize dynamic updates ...
... update. In order for
the Domain Name System (DNS) server receiving the request to confirm
this, the key or keys must be available to and authenticated ...
... which are always required, cover the entire request and authenticate
the DNS header, including opcode, counts, etc., as well as the data.
Data signatures, on the other hand, appear only among the RRs ...
... signatures occur in the Additional information
section. Each request SIG signs the entire request, including DNS
header, but excluding any other request SIG(s) and with the ARCOUNT
in the DNS header ...
... DNS
header, but excluding any other request SIG(s) and with the ARCOUNT
in the DNS header set to what it wold be without the request SIGs.
...
... Vixie, P., Editor, Thomson, T., Rekhter, Y., and J. Bound, "Dynamic Updates in the Domain Name System (DNS UPDATE)", RFC 2136prop, April 1997. ...