zone key
Click on the red underlined text to get to the source
... secure zone and all data in
the secure zone is signed either by a zone key or by a dynamic update
key tracing its authority ...
... RRs with the signatory field non-zero, and whose zone KEY RR
signatory field indicates that updates are implemented. There are two
...
... CRITERIA: | MODE A | MODE B
=========================+====================+===================
Definition: | Zone Key Off line | Zone Key On line
=========================+====================+===================
...
... =========================+====================+===================
Definition: | Zone Key Off line | Zone Key On line
=========================+====================+===================
Server Workload | Low | High
...
... NXT RRs which covers the zone under the zone key will not cover
dynamically added data. Thus, for type A dynamic secure zones, zone
...
... dynamic updates is more cumbersome since
the authority of their key must be traceable to a zone key and so, in
general, they must securely communicate a new key to the zone
authority ...
... the zone primary server. When authenticated updates succeed, SIGs
under the zone key for the resulting data (including the possible NXT
type bit ...
... RRs so that it can be
falsely denied by a server only to the same extent that static data
can (i.e., if it is within a wild card scope). Because the zone key
is used to sign all the zone data, the information as to who
originated the current state ...
... RR signatory field. In addition, the incorporation of the updates
into the primary master file and their authentication by the zone key
makes then permanent in nature. Maintaining the zone key on-line ...
... authentication by the zone key
makes then permanent in nature. Maintaining the zone key on-line
also means that dynamic update ...
... on-line
also means that dynamic update keys which are signed by the zone key
can be dynamically updated since the zone key is available to
...
... dynamic update keys which are signed by the zone key
can be dynamically updated since the zone key is available to
dynamically sign new values.
...
... 3.1 below. In addition, the zone secure dynamic update mode and
availability of some options is indicated in the zone key. Finally,
a special rule is used in searching for KEYs to validate updates as
...
... non-zero. The bits have the meanings
described below for non-zone keys (see section 3.2 for zone type
keys).
...
... detach, and move zones by creating and deleting NS, glue A, and
zone KEY RR(s). If zero, the key can not authorize any update
...
... Zone type keys are automatically authorized to sign anything in their
zone, of course, regardless of the value of their signatory field.
For zone keys, the signatory field bits have different means than
they they do for update ...
... dynamic update
for a zone is supported and the other bits in the zone key
signatory field are zero, it must be a one. The meaning of zone
keys where the signatory field has the general bit ...
... bits in the zone key
signatory field are zero, it must be a one. The meaning of zone
keys where the signatory field has the general bit and one or
more other bits ...
... non-zero signatory
fields. In that case, strong and unique name restrictions must be
enforced as long as there is a non-expired zone key being advertised
that indicates mode A with the strong or unique name bit on
...
... bit on
respectively. Mode B updates MUST be supported as long as there is a
non-expired zone key that indicates mode B. Mode A updates may be
treated as mode B updates at server option if non-expired zone keys
...
... non-expired zone key that indicates mode B. Mode A updates may be
treated as mode B updates at server option if non-expired zone keys
indicate that both are supported.
...
... A server that will be executing update operations on a zone, that is,
the primary master server, MUST not advertize a zone key that will
attract requests for a mode or features that it can not support.
...
... secure zones, all zone data is authenticated by
zone key SIG RRs. In this case, data signatures ...
... secure zone is using by examining the signatory field bits of the
zone KEY RR (see section 3.2).
...