WO2008116416A1 - Method, device and system for domain name system to update dynamically - Google Patents

Method, device and system for domain name system to update dynamically Download PDF

Info

Publication number
WO2008116416A1
WO2008116416A1 PCT/CN2008/070553 CN2008070553W WO2008116416A1 WO 2008116416 A1 WO2008116416 A1 WO 2008116416A1 CN 2008070553 W CN2008070553 W CN 2008070553W WO 2008116416 A1 WO2008116416 A1 WO 2008116416A1
Authority
WO
WIPO (PCT)
Prior art keywords
domain name
name system
address
client
request message
Prior art date
Application number
PCT/CN2008/070553
Other languages
French (fr)
Chinese (zh)
Inventor
Chunqiang Li
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008116416A1 publication Critical patent/WO2008116416A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5076Update or notification mechanisms, e.g. DynDNS

Definitions

  • the present invention relates to network security technologies in the field of communication networks, and in particular, to a method, apparatus and system for dynamically updating a domain name system.
  • the IP address is usually used as the network layer identifier of the host.
  • the IP address is just a string of numbers.
  • the host name is generated.
  • the IP address of the communication entity needs to be used, so it is necessary to be able to translate the host name into the corresponding IP address.
  • the original host name and IP address mapping is stored in the hosts.txt file of the Network Information Center (NIC). At that time, because the number of hosts is small, this file does not change frequently, so other hosts are NICs from the NIC once a day. Download this file on the host for hostname and IP address mapping.
  • DNS Domain Name System
  • DNS SEC DNS Security Extension
  • IPv6 In order to better adapt to the development of the Internet, the International Network Standards Organization IETF proposed a new IP version of IPv6.
  • the IPv6 protocol provides a huge address space, which has become the biggest driving force for promoting IPv6.
  • Many applications on the Internet are inseparable from the support of DNS.
  • DNS in IPv6 networks is very important.
  • Some new features of IPv6 and DNS support are inseparable.
  • IPv6 supports address autoconfiguration, which is a plug-and-play mechanism that allows IPv6 network interfaces to obtain link-local addresses, site-local addresses, and global addresses without any manual intervention, and can prevent addresses from appearing. Duplicate conflicts.
  • IPv6 supports stateless address autoconfiguration and stateful address autoconfiguration.
  • DHCP Dynamic Host Configuration Protocol
  • DHCP Dynamic Host Configuration Protocol
  • RFC2462 For a node that performs stateless autoconfiguration on an IPv6 address, first determine its own link-local address; then verify the uniqueness of the link-local address on the link; and finally determine the IPv6 address to be configured.
  • stateful autoconfiguration and stateless autoconfiguration can coexist and operate together.
  • Cryptographically Generated Addresses CGA is a mechanism for IPv6 address stateless auto-configuration to generate interface identifiers. It is mainly used to prevent IP address theft and spoofing, and enhances the security of IPv6 addresses.
  • CGA The basic idea of CGA is to obtain the interface identifier of the IPv6 address by calculating the hash value of the public key.
  • the corresponding private key can digitally sign the message sent from this address.
  • the verifier needs to know the value of the IP address itself, the public key and the auxiliary parameters.
  • the verifier can continue to verify the message signed by the public key owner. Because the CGA mechanism itself is not authenticated by a public trusted third party, an attacker can generate a new CGA with any subnet prefix and his own public key. However, an attacker cannot use another person's CGA to send a signed message and pass verification, unless someone else's can be obtained. Private key.
  • IPv6 address For servers in the network, users can access it through a fixed domain name without having to worry about whether its IP address changes or not, and it does not have to remember its lengthy 128-bit IPv6 address. This is to establish a correspondence between the domain name and the IP address. When the user communicates with the server, the corresponding IPv6 address can be obtained by the domain name.
  • the DNS client can automatically send a request for updating the IP address to the DNS server, and the DNS server responds to the resource in the DNS database according to the request for updating the IP address. If the record is updated, the user can still reach the client through the domain name, that is, the domain name can be queried to obtain the new IP address of the node.
  • the DNS server responds to all requests for updating the IP address, and updates the resource records in the DNS database according to the request, which may make the attacker very It is easy to tamper with legitimate DNS record entries, which causes the DNS dynamic update to be insecure.
  • Embodiments of the present invention provide a method, an apparatus, and a system for dynamically updating a DNS domain name system. It can support stateless automatic configuration of addresses, automatically generate IP addresses based on information such as the domain name of the communicating entity, and associate the corresponding domain name, public key and IP address to achieve more secure DNS dynamic update in IPv6 environment. .
  • the domain name system client generates an IP address according to a specific rule
  • the domain name system client generates a domain name system dynamic update request message according to the IP address, and sends the domain name system dynamic update request message to the domain name system server to carry the IP address; the domain name system server receives the domain name system dynamic update request After the message, generating a second IP address according to the same rule as the domain name system client, if the IP address is equal to the second IP Address, complete address insurance card;
  • the domain name system server updates the domain name system resource record according to the domain name system dynamic update request message.
  • An address generating unit configured to dynamically generate an IP address according to a cryptographic method according to the information of the domain name system client;
  • a request message generating unit configured to generate a domain name system dynamic update request message according to the IP address.
  • a domain name system client configured to generate an IP address according to a specific rule; generate a domain name system dynamic update request message according to the IP address, and send the domain name system dynamic update request message to the domain name system server, and carry the IP address;
  • a domain name system server configured to receive a domain name system dynamic update request message sent by the domain name system client, perform address verification on the domain name system dynamic update request message, and update the domain name system resource record according to the domain name system dynamic update request message.
  • the embodiment of the invention also discloses a domain name system server, including:
  • a storage unit configured to store a domain name system resource record
  • a receiving unit configured to receive a domain name system dynamic update request message sent by a domain name system client
  • a parsing unit configured to parse the domain name system dynamic update request message, and obtain information and an IP address of the domain name system client
  • An address generating unit configured to generate a second IP address according to the same rule as the domain name system client according to the information of the domain name system client obtained by the parsing unit;
  • An address verification unit configured to perform address verification on the domain name system client by determining whether the IP address and the second IP address are the same;
  • the domain name system resource record update unit is configured to update the domain name system resource record stored in the storage unit according to the domain name system dynamic update request message.
  • the embodiment of the invention supports the stateless configuration function of the IP address, and enhances the DNS by using the generated IP address and the corresponding public key to protect the dynamic update of the domain name system by using the information such as the public key, the domain name and the IP address of the domain name system client. Dynamic update security.
  • FIG. 1 is a system structural diagram of a dynamic update of a domain name system according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for dynamically updating a domain name system according to an embodiment of the present invention
  • FIG. 3 is a flowchart of dynamically generating an IP address by a domain name system client according to an embodiment of the present invention
  • FIG. 4 is a schematic structural diagram of a domain name system client according to an embodiment of the present invention
  • FIG. 5 is a schematic structural diagram of a domain name system server according to an embodiment of the present invention.
  • Embodiment 1 of the present invention discloses a method for dynamically updating a domain name system.
  • the DNS client when the network topology changes, the DNS client will dynamically generate a new IP address based on some of its own information, in order to ensure that the domain name of the DNS client can be found on the DNS server.
  • the IP address of the DNS client the DNS client initiates a DNS update request message to the DNS server, and after receiving the update request message, the DNS server is authenticated, and the domain name corresponding to the DNS client is updated in the resource record RR of the DNS server.
  • the IP address is the newly generated IP address.
  • FIG. 2 is a detailed flowchart of a method for dynamically updating a domain name system according to an embodiment of the present invention. Updates to the original DNS resource records on the DNS server should also apply to DNS registration on the DNS server to create a new DNS resource record.
  • Step 201 The DNS client dynamically generates a new IP address according to the cryptographic method according to its own information.
  • FIG. 3 is a flowchart of dynamically generating an IP address by a DNS client according to an embodiment of the present invention.
  • Step 301 Before calculating the IP address, first clear the conflict count
  • Step 302 Generate an interface identifier according to a cryptographic method.
  • Expression can also be empty.
  • PRF (Expression) represents a function for pseudo-random processing of Expression, which may be a function such as SHA-1, SHA-256, CBC-DES, CBC-AES, or a method for generating a cryptographically generated address CGA proposed by RFC3972.
  • connection subnet prefix and the interface identifier form an IP address.
  • Step 304 After the IP address is generated by the DNS client, perform the IP address repetitive detection. If an address conflict occurs, go to step 305. If no address conflict occurs, go to step 306.
  • Step 305 After adding the conflict count to 1, perform step 302 again to calculate the IP address.
  • Step 306 The DNS client prepares to send an update request message to the DNS server.
  • Step 202 After generating the IP address, the DNS client generates a DNS dynamic update request message and signs it.
  • the DNS client After the DNS client generates an IP address according to the cryptographic method, it generates a public key resource record (KEY RR), and then generates a DNS dynamic update request message.
  • the message format is as follows: Header
  • zone indicates the area to be updated; Prerequisite indicates the prerequisites for dynamic update to be met, either RR must exist/not exist or RRSet must exist/not exist; Update indicates that it needs to be updated RR or RRSet; Additional Data includes records related to the update, or records related to the new record of this dynamic update operation.
  • the DNS client After generating the above DNS dynamic update request message, the DNS client signs the entire DNS update request message with its corresponding private key to generate a signature resource record (SIG RR ) and attach it to the end of the additional data segment. If the DNS client is the first to use the DNS domain name for update registration, the generated public key resource record needs to be added to the additional data segment to notify the DNS server of the public key.
  • SIG RR signature resource record
  • Step 203 The DNS client sends the signed DNS dynamic update request message to the DNS server, and carries the generated IP address.
  • the IP address and the domain name of the DNS client together form a resource record, which is added to the Update field of the DNS dynamic update request message.
  • Step 204 The DNS server receives the signed DNS dynamic update request message and performs parsing.
  • the purpose of the analysis is to obtain the domain name, subnet mask, and other information and IP address of the DNS client.
  • Step 205 The DNS server determines, according to the parsing result, whether the DNS client has an update request authority. In this embodiment, the DNS server determines whether the IP address carried in the DNS dynamic update request message is generated according to a cryptographic method. If yes, Then, the DNS client has the update request authority, and step 206 is performed. If no, the DNS client does not have the update request permission, and the DNS server rejects the update request.
  • Step 206 The DNS server uses the same information according to the same rules as the DNS client. Generate an IP address.
  • the DNS server dynamically generates an IP address according to the cryptographic method based on the DNS client's domain name, subnet prefix, public key, and collision count.
  • Step 207 The DNS server determines whether the IP address generated in step 206 is the same as the IP address carried in the DNS dynamic update request sent by the DNS client. If they are the same, step 208 is performed. If not, the DNS server rejects the update request. .
  • Step 208 The DNS server verifies the signature resource record in the DNS dynamic update request message by using a public key. If the verification is passed, go to step 209. Otherwise, the DNS server rejects the update request.
  • Step 209 The DNS server completes the update requested by the DNS client, that is, updates the DNS resource record, and sends an update response message to the DNS client.
  • the embodiment of the invention also discloses a system for dynamically updating a domain name system.
  • the system includes a DNS client and a DNS server.
  • the DNS client is configured to dynamically generate an IP address according to a specific rule when the network topology changes, or perform DNS registration on the DNS server; generate a DNS dynamic update request message according to the IP address, and send the DNS dynamic update request message to the DNS server. Sending the DNS dynamic update request message, carrying the IP address.
  • the DNS client is further configured to use the private key to sign the DNS dynamic update request message, generate a signature resource record, and add the generated signature resource record to the DNS dynamic update request message.
  • the DNS client may be further configured to generate a public key resource record, and when the DNS dynamic update request message is sent to the DNS server for the first time, carry the public key resource.
  • the DNS server is configured to receive a DNS dynamic update request message sent by the DNS client, perform address verification on the DNS dynamic update request message, and update a DNS resource record according to the DNS dynamic update request message.
  • the DNS server is further configured to perform rights verification on the DNS client according to the DNS dynamic update request message.
  • the DNS server may be further configured to verify a signature resource record in the DNS dynamic update request message according to the public key of the DNS client.
  • the DNS server may be further configured to: after updating the DNS resource record, to the DNS guest The client sends an update response message.
  • the embodiment of the present invention further discloses a domain name system client.
  • FIG. 4 it is a schematic structural diagram of a DNS client according to an embodiment of the present invention.
  • the DNS client includes an address generating unit, a request message generating unit, a signing unit, a resource record generating unit, and a sending unit.
  • the address generation unit is configured to dynamically generate an IP address according to the information of the DNS client and the cryptographic method when the network topology changes, or when the DNS is registered on the DNS server. The specific algorithm is described in the method section.
  • a request message generating unit configured to generate a DNS dynamic update request message according to the IP address, where the format of the update request message is a message format in the foregoing method, and a new IP address is added in the Update field.
  • a signature unit configured to sign the DNS dynamic update request message according to a private key of the DNS client itself, and generate a signature resource record, where the signature resource record is added in an additional data field in the DNS dynamic update request message, Sign the DNS client for signature verification on the DNS server.
  • the resource record generating unit is configured to generate a public key resource record of the DNS client. If a certain DNS client uses a domain name for registration for the first time, the public key resource record is added to the additional data field in the DNS dynamic update request message. After receiving the public key resource record, the DNS server uses the public key in the public key resource record to perform signature verification on the DNS dynamic update request message sent by the same domain name. And a sending unit, configured to send the signed DNS dynamic update request message to the DNS server.
  • the embodiment of the present invention further discloses a domain name system server.
  • FIG. 5 it is a schematic structural diagram of a domain name system server according to an embodiment of the present invention.
  • the domain name system server includes a storage unit for storing a domain name system resource record.
  • the receiving unit is configured to receive a DNS dynamic update request message sent by the DNS client.
  • the parsing unit is configured to parse the DNS dynamic update request message, and obtain information and an IP address of the DNS client, where the information of the DNS client includes a domain name, a subnet prefix, and the like.
  • An address generating unit configured to generate a second IP address according to the same rule as the DNS client according to the information of the DNS client obtained by the parsing unit, where the second IP address may be generated by using a cryptographic method according to the rules in the foregoing method flow. address.
  • An address verification unit configured to determine whether the IP address and the second IP address are related Similarly, the DNS client performs address verification. If the same, the address verification is performed. If not, the DNS server rejects the update request of the DNS client.
  • a domain name system resource record update unit configured to update a domain name system resource record stored in the storage unit according to the DNS dynamic update request message, and when performing a DNS dynamic update, first searching for a storage unit, if there is a domain name corresponding to the DNS client The resource record is modified, and if there is no DNS resource record corresponding to the domain name of the DNS client, a new DNS resource record is created.
  • the DNS server further includes: a signature verification unit, configured to verify, according to the public key of the DNS client, a signature resource record in the DNS dynamic update request message, if the public key matches a private key in the signature resource record, the signature After the verification is passed, the signature verification unit sends the DNS dynamic update request message that the signature verification passes to the domain name system resource record update unit.
  • a signature verification unit configured to verify, according to the public key of the DNS client, a signature resource record in the DNS dynamic update request message, if the public key matches a private key in the signature resource record, the signature After the verification is passed, the signature verification unit sends the DNS dynamic update request message that the signature verification passes to the domain name system resource record update unit.
  • the DNS server further includes: a rights verification unit, configured to determine, according to information of the DNS client obtained by the parsing unit, whether the DNS client has permission to request dynamic DNS update, and if the DNS client has permission to request dynamic DNS update, Sending information of the DNS client to the address generating unit.
  • the sending unit when the domain name system resource record updating unit updates the domain name system resource record, is configured to send an update response message to the DNS client, to notify that the update has been completed.
  • the embodiment of the invention supports the stateless configuration function of the IP address, and the DNS dynamic update is enhanced by using the generated IP address and the corresponding public key to protect the dynamic update of the DNS by associating the public key, the domain name and the IP address of the DNS client. Security.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method, device and system for a Domain Name System to update dynamically, relates to network security techniques. The invention is for solving the problem of insecurity of the dynamical DNS updating process. The method includes steps of that: DNS client generates an IP address according to a given rule, DNS client generates a dynamical updating request message and sends the dynamical updating request message along with the IP address to DNS server, DNS server generates a second IP address according to the same rule as that of DNS client and identifies the address. after receiving the DNS dynamical updating request message, and DNS server updates Domain Name System resource record according to the DNS dynamical updating request message. The invention is adapted in DNS systems.

Description

一种域名系统动态更新的方法、 装置和系统 技术领域  Method, device and system for dynamically updating domain name system
本发明涉及通信网络领域的网络安全技术, 尤其涉及一种域名系统动态 更新的方法、 装置和系统。  The present invention relates to network security technologies in the field of communication networks, and in particular, to a method, apparatus and system for dynamically updating a domain name system.
背景技术 Background technique
在 Internet中 , 通常将 IP地址作为主机的网络层标识。 然而 IP地址只是 一串数字, 为了便于记忆, 于是产生了主机名。 在通信过程中, 又需要使用 通信实体的 IP地址, 因此需要能够将主机名翻译成相应的 IP地址。 最初的主 机名与 IP地址映射是保存在网络信息中心( Network Information Center, NIC ) 的 hosts.txt文件中的, 当时因为主机数量少, 这个文件也不经常变化, 因此其 它主机几天一次从 NIC的主机上下载这个文件进行主机名和 IP地址映射就可 以了。 但随着网络规模的扩展和主机数量的增多, 频繁的下载请求对 NIC的 主机造成巨大的压力, 同时也影响了服务质量。 许多局域网用户希望自己管 理自己的主机名, 而不希望等 NIC许多天把自己的主机名加在 hosts.txt文件 中, 有些组织也希望有自己的名字空间配置。 最终决定使用层次式的名字空 间组织方案, 即域名系统 (Domain Name System, DNS)。 DNS是一个大型的 分布式数据库系统, 它所执行的基本功能是网络资源名称 (从最早简单网络上 的每个主机名到后来的域名、 邮件地址等)与 IP地址之间的翻译。 DNS数据 库系统中的记录被称为资源记录 (Resource Record, RR),具有相同的 LabeK标 签)、 Class (分类)、 Type (类型 ), 但 Data (数据 )不同的一组资源记录称为 资源记录集 (RRSet)。  In the Internet, the IP address is usually used as the network layer identifier of the host. However, the IP address is just a string of numbers. In order to facilitate the memory, the host name is generated. In the communication process, the IP address of the communication entity needs to be used, so it is necessary to be able to translate the host name into the corresponding IP address. The original host name and IP address mapping is stored in the hosts.txt file of the Network Information Center (NIC). At that time, because the number of hosts is small, this file does not change frequently, so other hosts are NICs from the NIC once a day. Download this file on the host for hostname and IP address mapping. However, as the network scale expands and the number of hosts increases, frequent download requests put tremendous pressure on the NIC's host, which also affects the quality of service. Many LAN users want to manage their own hostnames, rather than waiting for the NIC to add their hostnames to the hosts.txt file for many days. Some organizations also want to have their own namespace configuration. It was finally decided to use a hierarchical name space organization scheme, the Domain Name System (DNS). DNS is a large distributed database system. The basic function it performs is the translation of network resource names (from each host name on the earliest simple network to a later domain name, email address, etc.) to an IP address. The records in the DNS database system are called Resource Records (RR), have the same LabeK tag, Class, and Type, but a group of resource records with different Data is called resource record. Set (RRSet).
自治性与开放性是 DNS设计的主要原则, 在 DNS的设计之初并没考虑 其安全问题。 比如攻击者在 DNS中将某合法网站的 IP地址篡改为假冒、恶意 网站的 IP地址, 如果一个普通用户打算访问这一网站,但没有该网站的 IP地 址时, 首先要发起 DNS查询, 这样该用户的网络流量就会被引到一个恶意的 网站,并且很有可能泄漏该用户的保密信息。为了解决 DNS相关的安全问题, 域名系统安全扩展 (DNS Security Extension, DNS SEC)提出了一系列措施, 其 主要思想是通过公钥签名技术对 DNS中的信息进行签名, 对 DNS信息进行 数据源认证和完整性检查。 通过获取验证签名的公钥, 域名解析器可以通过 对签名的验证来判断获得的资源记录的真实性和完整性。 Autonomy and openness are the main principles of DNS design. Security issues were not considered at the beginning of the design of the DNS. For example, the attacker changes the IP address of a legitimate website to the IP address of a fake or malicious website in the DNS. If an ordinary user intends to access the website but does not have the IP address of the website, the DNS query should be initiated first. User's network traffic will be directed to a malicious The website, and it is very likely to disclose the confidential information of the user. In order to solve DNS-related security problems, the DNS Security Extension (DNS SEC) proposes a series of measures. The main idea is to sign the information in the DNS by public key signature technology and perform data source authentication on the DNS information. And integrity check. By obtaining the public key of the verification signature, the domain name resolver can judge the authenticity and integrity of the obtained resource record by verifying the signature.
为了更好的适应互联网的发展, 国际网络标准组织 IETF提出了新的 IP 版本 IPv6, IPv6协议提供了巨大的地址空间, 这成为推广 IPv6的最大动力。 互联网上的许多应用大都离不开 DNS的支持, IPv6网络中的 DNS非常重要, 一些 IPv6的新特性和 DNS的支持密不可分。 IPv6支持地址自动配置, 这是 一种即插即用的机制, 即在没有任何手工干预的情况下, IPv6 网络接口可以 获得链路局部地址、 站点局部地址和全局地址等, 并且可以防止出现地址重 复的冲突。 IPv6 支持无状态地址自动配置和有状态地址自动配置两种方式, DHCP ( Dynamic Host Configuration Protocol, 动态主机配置协议)是一种有 状态自动配置的机制, RFC2462中描述了 IPV6的无状态自动配置。对于 IPv6 地址进行无状态自动配置的节点, 首先确定自己的链路本地地址; 然后验证 该链路本地地址在链路上的唯一性; 最后确定需要配置的 IPv6地址等信息。 才艮据 IPV6中的定义,有状态自动配置和无状态自动配置可以共存并可一起操 作。 密码学生成地址(Cryptographically Generated Addresses, CGA )是 IPv6 地址无状态自动配置生成接口标识的一种机制, 它主要是为了防止 IP地址的 盗用和欺骗, 增强了 IPv6地址的安全性。 CGA的基本思想是通过计算公开密 钥的散列值来得到 IPv6地址的接口标识符。 相应的私钥可以对从这个地址发 送的报文进行数字签名。 为了验证 IP地址和公开密钥之间的关联, 验证器需 要知道 IP地址本身, 公开密钥和辅助参数的值。 验证器可以继续验证公开密 钥所有者签名的报文。 因为 CGA机制本身没有被公共的可信第三方认证, 所 以攻击者可以用任意的子网前缀和他自己的公开密钥生成新的 CGA。 但攻击 者不能使用其他人的 CGA发送签名的报文并通过验证, 除非可以获得他人的 私钥。 In order to better adapt to the development of the Internet, the International Network Standards Organization IETF proposed a new IP version of IPv6. The IPv6 protocol provides a huge address space, which has become the biggest driving force for promoting IPv6. Many applications on the Internet are inseparable from the support of DNS. DNS in IPv6 networks is very important. Some new features of IPv6 and DNS support are inseparable. IPv6 supports address autoconfiguration, which is a plug-and-play mechanism that allows IPv6 network interfaces to obtain link-local addresses, site-local addresses, and global addresses without any manual intervention, and can prevent addresses from appearing. Duplicate conflicts. IPv6 supports stateless address autoconfiguration and stateful address autoconfiguration. DHCP (Dynamic Host Configuration Protocol) is a stateful autoconfiguration mechanism. The stateless autoconfiguration of IPV6 is described in RFC2462. For a node that performs stateless autoconfiguration on an IPv6 address, first determine its own link-local address; then verify the uniqueness of the link-local address on the link; and finally determine the IPv6 address to be configured. According to the definition in IPV6, stateful autoconfiguration and stateless autoconfiguration can coexist and operate together. Cryptographically Generated Addresses (CGA) is a mechanism for IPv6 address stateless auto-configuration to generate interface identifiers. It is mainly used to prevent IP address theft and spoofing, and enhances the security of IPv6 addresses. The basic idea of CGA is to obtain the interface identifier of the IPv6 address by calculating the hash value of the public key. The corresponding private key can digitally sign the message sent from this address. In order to verify the association between the IP address and the public key, the verifier needs to know the value of the IP address itself, the public key and the auxiliary parameters. The verifier can continue to verify the message signed by the public key owner. Because the CGA mechanism itself is not authenticated by a public trusted third party, an attacker can generate a new CGA with any subnet prefix and his own public key. However, an attacker cannot use another person's CGA to send a signed message and pass verification, unless someone else's can be obtained. Private key.
对于网络中的服务器, 用户可以通过固定的域名来访问它, 而不必关心 它的 IP地址是否变化, 也不必记住它冗长难记的 128位 IPv6地址。这就要建 立起域名和 IP地址之间的对应关系。 当用户与服务器通信时, 可以由域名获 得对应的 IPv6地址。  For servers in the network, users can access it through a fixed domain name without having to worry about whether its IP address changes or not, and it does not have to remember its lengthy 128-bit IPv6 address. This is to establish a correspondence between the domain name and the IP address. When the user communicates with the server, the corresponding IPv6 address can be obtained by the domain name.
在 IP地址改变时要能及时、 自动地修改域名与 IP地址的对应关系, 这就 是 DNS动态更新。具体来说, 当由于网络拓朴发生变化等原因导致 IP地址改 变后, DNS客户端能够自动向 DNS服务器发出更新 IP地址的请求, DNS服 务器根据所述更新 IP地址的请求对 DNS数据库中的资源记录进行更新,则以 后用户通过域名访问该客户端依然可以到达, 即根据域名可以查询得到该节 点的新 IP地址。  When the IP address changes, it is necessary to modify the correspondence between the domain name and the IP address in a timely and automatic manner. This is the DNS dynamic update. Specifically, after the IP address is changed due to changes in the network topology, the DNS client can automatically send a request for updating the IP address to the DNS server, and the DNS server responds to the resource in the DNS database according to the request for updating the IP address. If the record is updated, the user can still reach the client through the domain name, that is, the domain name can be queried to obtain the new IP address of the node.
在实现本发明的过程中, 发明人发现现有技术存在如下问题: DNS服务 器对所有更新 IP地址的请求都会做出响应,根据该请求更新 DNS数据库中的 资源记录, 这样可能会使攻击者很容易篡改合法 DNS 记录条目, 从而造成 DNS动态更新不安全的问题。  In the process of implementing the present invention, the inventors have found that the prior art has the following problems: The DNS server responds to all requests for updating the IP address, and updates the resource records in the DNS database according to the request, which may make the attacker very It is easy to tamper with legitimate DNS record entries, which causes the DNS dynamic update to be insecure.
发明内容 Summary of the invention
本发明实施例提供了一种 DNS域名系统动态更新的方法、 装置和系统。 能够支持地址的无状态自动配置, 根据通信实体的域名等信息自动生成其 IP 地址, 并将相应的域名、 公钥和 IP地址等信息关联起来, 实现了 IPv6环境下 更为安全的 DNS动态更新。  Embodiments of the present invention provide a method, an apparatus, and a system for dynamically updating a DNS domain name system. It can support stateless automatic configuration of addresses, automatically generate IP addresses based on information such as the domain name of the communicating entity, and associate the corresponding domain name, public key and IP address to achieve more secure DNS dynamic update in IPv6 environment. .
所述域名系统动态更新的方法的实施例包括以下步骤:  An embodiment of the method for dynamically updating the domain name system includes the following steps:
域名系统客户端根据特定规则生成 IP地址;  The domain name system client generates an IP address according to a specific rule;
域名系统客户端根据所述 IP地址生成域名系统动态更新请求消息, 并向 域名系统服务器发送所述域名系统动态更新请求消息, 携带所述 IP地址; 域名系统服务器收到所述域名系统动态更新请求消息后, 根据与所述域 名系统客户端相同的规则生成第二 IP地址, 若所述 IP地址等于所述第二 IP 地址, 完成地址险证; The domain name system client generates a domain name system dynamic update request message according to the IP address, and sends the domain name system dynamic update request message to the domain name system server to carry the IP address; the domain name system server receives the domain name system dynamic update request After the message, generating a second IP address according to the same rule as the domain name system client, if the IP address is equal to the second IP Address, complete address insurance card;
域名系统服务器根据所述域名系统动态更新请求消息更新域名系统资源 记录。  The domain name system server updates the domain name system resource record according to the domain name system dynamic update request message.
本发明实施例公开的域名系统客户端包括:  The domain name system client disclosed in the embodiment of the present invention includes:
地址生成单元, 用于根据所述域名系统客户端的信息根据密码学方法动 态生成 IP地址;  An address generating unit, configured to dynamically generate an IP address according to a cryptographic method according to the information of the domain name system client;
请求消息生成单元, 用于根据所述 IP地址生成域名系统动态更新请求消 息。  And a request message generating unit, configured to generate a domain name system dynamic update request message according to the IP address.
本发明实施例公开的域名系统包括:  The domain name system disclosed in the embodiment of the present invention includes:
域名系统客户端, 用于根据特定规则生成 IP地址; 根据所述 IP地址生成 域名系统动态更新请求消息, 并向域名系统服务器发送所述域名系统动态更 新请求消息, 携带所述 IP地址;  a domain name system client, configured to generate an IP address according to a specific rule; generate a domain name system dynamic update request message according to the IP address, and send the domain name system dynamic update request message to the domain name system server, and carry the IP address;
域名系统服务器, 用于接收所述域名系统客户端发送的域名系统动态更 新请求消息; 对所述域名系统动态更新请求消息进行地址验证; 根据所述域 名系统动态更新请求消息更新域名系统资源记录。  a domain name system server, configured to receive a domain name system dynamic update request message sent by the domain name system client, perform address verification on the domain name system dynamic update request message, and update the domain name system resource record according to the domain name system dynamic update request message.
本发明实施例还公开了一种域名系统服务器, 包括:  The embodiment of the invention also discloses a domain name system server, including:
存储单元, 用于存储域名系统资源记录;  a storage unit, configured to store a domain name system resource record;
接收单元, 用于接收域名系统客户端发送的域名系统动态更新请求消息; 解析单元, 用于解析所述域名系统动态更新请求消息, 获取所述域名系 统客户端的信息和 IP地址;  a receiving unit, configured to receive a domain name system dynamic update request message sent by a domain name system client, and a parsing unit, configured to parse the domain name system dynamic update request message, and obtain information and an IP address of the domain name system client;
地址生成单元, 用于根据解析单元获得的所述域名系统客户端的信息, 依照与域名系统客户端同样的规则生成第二 IP地址;  An address generating unit, configured to generate a second IP address according to the same rule as the domain name system client according to the information of the domain name system client obtained by the parsing unit;
地址验证单元, 用于通过判断所述 IP地址和第二 IP地址是否相同,对所 述域名系统客户端进行地址验证;  An address verification unit, configured to perform address verification on the domain name system client by determining whether the IP address and the second IP address are the same;
域名系统资源记录更新单元, 用于根据所述域名系统动态更新请求消息 更新存储单元中存储的域名系统资源记录。 本发明实施例支持 IP地址的无状态配置功能, 通过关联域名系统客户端 公钥、域名和 IP地址等信息, 利用所生成的 IP地址和相应的公钥保护域名系 统的动态更新, 增强了 DNS动态更新的安全性。 The domain name system resource record update unit is configured to update the domain name system resource record stored in the storage unit according to the domain name system dynamic update request message. The embodiment of the invention supports the stateless configuration function of the IP address, and enhances the DNS by using the generated IP address and the corresponding public key to protect the dynamic update of the domain name system by using the information such as the public key, the domain name and the IP address of the domain name system client. Dynamic update security.
附图说明 DRAWINGS
图 1为本发明实施例所述域名系统动态更新的系统结构图;  1 is a system structural diagram of a dynamic update of a domain name system according to an embodiment of the present invention;
图 2为本发明实施例所述域名系统动态更新的方法流程图;  2 is a flowchart of a method for dynamically updating a domain name system according to an embodiment of the present invention;
图 3为本发明实施例中域名系统客户端动态生成 IP地址的流程图; 图 4为本发明实施例中域名系统客户端的结构示意图;  3 is a flowchart of dynamically generating an IP address by a domain name system client according to an embodiment of the present invention; FIG. 4 is a schematic structural diagram of a domain name system client according to an embodiment of the present invention;
图 5为本发明实施例中域名系统服务器的结构示意图。  FIG. 5 is a schematic structural diagram of a domain name system server according to an embodiment of the present invention.
具体实施方式 detailed description
下面结合附图和具体实施例对本发明作进一步说明, 但不应当看作是对 本发明的限制。  The invention is further illustrated by the following figures and specific examples, but should not be construed as limiting the invention.
本发明实施例 1公开了一种域名系统动态更新的方法。在图 1所示的 DNS 系统中, 当网络拓朴结构发生变化时, DNS客户端将根据自身的一些信息动 态生成新的 IP地址, 为了保证在 DNS服务器上能够通过该 DNS客户端的域 名查找到该 DNS客户端的 IP地址,该 DNS客户端向 DNS服务器发起了 DNS 更新请求消息, DNS服务器收到该更新请求消息后, 经过验证, 在 DNS服务 器上的资源记录 RR中更新该 DNS客户端的域名对应的 IP地址为新生成的 IP 地址。  Embodiment 1 of the present invention discloses a method for dynamically updating a domain name system. In the DNS system shown in Figure 1, when the network topology changes, the DNS client will dynamically generate a new IP address based on some of its own information, in order to ensure that the domain name of the DNS client can be found on the DNS server. The IP address of the DNS client, the DNS client initiates a DNS update request message to the DNS server, and after receiving the update request message, the DNS server is authenticated, and the domain name corresponding to the DNS client is updated in the resource record RR of the DNS server. The IP address is the newly generated IP address.
图 2是本发明实施例所述域名系统动态更新的方法的详细流程图。 应当 对 DNS服务器上原有的 DNS资源记录的更新, 也适用于在 DNS服务器上进 行 DNS注册, 创建一条新的 DNS资源记录的情况。  2 is a detailed flowchart of a method for dynamically updating a domain name system according to an embodiment of the present invention. Updates to the original DNS resource records on the DNS server should also apply to DNS registration on the DNS server to create a new DNS resource record.
步骤 201、 DNS客户端根据自身的信息依照密码学方法动态生成新的 IP 地址。  Step 201: The DNS client dynamically generates a new IP address according to the cryptographic method according to its own information.
具体来说, DNS客户端根据自身的域名 ( Domain Name )、子网前缀( Subnet Prefix ), 公钥 ( Public Key )和冲突计数 ( Collision Count )等信息依照密码学 方法动态生成 IP地址。 图 3是本发明实施例中 DNS客户端动态生成 IP地址 的流程图。 Specifically, the DNS client is based on its own domain name (Domain Name) and subnet prefix (Subnet). Prefix), Public Key and Collision Count dynamically generate IP addresses in accordance with cryptographic methods. FIG. 3 is a flowchart of dynamically generating an IP address by a DNS client according to an embodiment of the present invention.
步骤 301、 在计算 IP地址之前, 先将冲突计数清零;  Step 301: Before calculating the IP address, first clear the conflict count;
步骤 302、 根据密码学方法生成接口标识符; 具体计算公式可以是: Interface ID=First( N, PRF(Domain Name | Expression ) ),其中, Expression (表达式)是由与 DNS客户端相关的信息组合而成,这些信息包括子网前缀、 公钥、 冲突计数等, 此外, Expression 也可以为空。 PRF(Expression)表示对 Expression进行伪随机处理的函数, 可以是 SHA-1、 SHA-256, CBC-DES、 CBC-AES等函数, 或 RFC3972所提出的生成密码学生成地址 CGA的处理方 法。  Step 302: Generate an interface identifier according to a cryptographic method. The specific calculation formula may be: Interface ID=First( N, PRF(Domain Name | Expression ) ), where Expression (expression) is information related to the DNS client. Combined, this information includes subnet prefix, public key, conflict count, etc. In addition, Expression can also be empty. PRF (Expression) represents a function for pseudo-random processing of Expression, which may be a function such as SHA-1, SHA-256, CBC-DES, CBC-AES, or a method for generating a cryptographically generated address CGA proposed by RFC3972.
步骤 303、 连接子网前缀与接口标识符形成 IP地址。 在本实施例中具体 可以是 IP Address = Subnet Prefix | Interface ID, "|" 表示将前后两者直接连接 起来。  Step 303: The connection subnet prefix and the interface identifier form an IP address. In this embodiment, it may specifically be IP Address = Subnet Prefix | Interface ID, "|" means that the front and the back are directly connected.
步骤 304、 DNS客户端生成 IP地址以后, 先进行 IP地址重复性检测, 如 果发生地址冲突, 执行步骤 305; 如果没有发生地址冲突, 执行步骤 306。  Step 304: After the IP address is generated by the DNS client, perform the IP address repetitive detection. If an address conflict occurs, go to step 305. If no address conflict occurs, go to step 306.
步骤 305、 将冲突计数加 1后, 重新执行步骤 302, 计算 IP地址。  Step 305: After adding the conflict count to 1, perform step 302 again to calculate the IP address.
步骤 306、 DNS客户端准备向 DNS服务器发送更新请求消息。  Step 306: The DNS client prepares to send an update request message to the DNS server.
在上述过程中, 如果连续几次计算的 IP地址都发生了地址冲突, 导致冲 突计数大于 3 , 并且是 DNS客户端第一次使用所选域名进行注册的话, 则修 改所使用的注册公钥或者域名。  In the above process, if an IP address of several consecutive calculations has an address conflict, resulting in a collision count greater than 3, and the DNS client uses the selected domain name for registration for the first time, modify the registered public key used or domain name.
步骤 202、 DNS客户端在生成 IP地址后, 生成 DNS动态更新请求消息, 并对其进行签名。  Step 202: After generating the IP address, the DNS client generates a DNS dynamic update request message and signs it.
DNS客户端按照密码学方法生成 IP地址后, 生成公钥资源记录(KEY RR ), 然后生成 DNS动态更新请求消息, 其消息格式如下: 消息头 (Header ) After the DNS client generates an IP address according to the cryptographic method, it generates a public key resource record (KEY RR), and then generates a DNS dynamic update request message. The message format is as follows: Header
区域(zone )  Zone
先决条件 ( Prerequisite )  Prerequisite ( Prerequisite )
更新 (Update )  Update (Update)
附加数据 ( Additional Data ) ~ 该消息中, zone表示要更新的区域; Prerequisite表示进行动态更新必须 满足的前提条件, 可以是 RR必须存在 /不存在或者 RRSet必须存在 /不存在; Update表示需要更新的 RR或者 RRSet; Additional Data包括与更新相关的记 录, 或者与本次动态更新操作的新记录相关的记录。  Additional Data ~ In this message, zone indicates the area to be updated; Prerequisite indicates the prerequisites for dynamic update to be met, either RR must exist/not exist or RRSet must exist/not exist; Update indicates that it needs to be updated RR or RRSet; Additional Data includes records related to the update, or records related to the new record of this dynamic update operation.
DNS客户端在生成上述 DNS动态更新请求消息后,使用自身相应的私钥 对整个 DNS更新请求消息进行签名生成签名资源记录( SIG RR )并附在附加 数据段的最后。 如果该 DNS客户端是第一次使用 DNS域名进行更新注册, 需要在附加数据段添加所生成的公钥资源记录, 用来将公钥通知给 DNS服务 器。  After generating the above DNS dynamic update request message, the DNS client signs the entire DNS update request message with its corresponding private key to generate a signature resource record (SIG RR ) and attach it to the end of the additional data segment. If the DNS client is the first to use the DNS domain name for update registration, the generated public key resource record needs to be added to the additional data segment to notify the DNS server of the public key.
步骤 203、 DNS客户端向 DNS服务器发送所述签名后的 DNS动态更新 请求消息, 并携带生成的 IP地址。 IP地址和 DNS客户端的域名等信息共同 组成一个资源记录, 被添加到 DNS动态更新请求消息的 Update字段。  Step 203: The DNS client sends the signed DNS dynamic update request message to the DNS server, and carries the generated IP address. The IP address and the domain name of the DNS client together form a resource record, which is added to the Update field of the DNS dynamic update request message.
步骤 204、 DNS服务器接收所述签名后的 DNS动态更新请求消息并进行 解析。解析的目的,是获得该 DNS客户端的域名、子网掩码等信息和 IP地址。  Step 204: The DNS server receives the signed DNS dynamic update request message and performs parsing. The purpose of the analysis is to obtain the domain name, subnet mask, and other information and IP address of the DNS client.
步骤 205、 DNS服务器根据解析结果判断该 DNS客户端是否有更新请求 权限, 本实施例中, DNS服务器判断该 DNS动态更新请求消息中携带的 IP 地址是否是根据密码学方法生成的, 如果是, 则该 DNS客户端具有所述更新 请求权限, 执行步骤 206, 如果否, 则该 DNS客户端不具有所述更新请求权 限, DNS服务器拒绝该更新请求。  Step 205: The DNS server determines, according to the parsing result, whether the DNS client has an update request authority. In this embodiment, the DNS server determines whether the IP address carried in the DNS dynamic update request message is generated according to a cryptographic method. If yes, Then, the DNS client has the update request authority, and step 206 is performed. If no, the DNS client does not have the update request permission, and the DNS server rejects the update request.
步骤 206、 DNS服务器依照与 DNS客户端同样的规则, 利用同样的信息 生成 IP地址。 Step 206: The DNS server uses the same information according to the same rules as the DNS client. Generate an IP address.
具体说, 就是指 DNS服务器根据 DNS客户端的域名、 子网前缀、 公钥 和冲突计数等信息依照密码学方法动态生成 IP地址。  Specifically, the DNS server dynamically generates an IP address according to the cryptographic method based on the DNS client's domain name, subnet prefix, public key, and collision count.
步骤 207、DNS服务器判断自己在步骤 206中生成的 IP地址与 DNS客户 端发送的 DNS动态更新请求中携带的 IP地址是否相同,如果相同,执行步骤 208, 如果不相同, DNS服务器拒绝该更新请求。  Step 207: The DNS server determines whether the IP address generated in step 206 is the same as the IP address carried in the DNS dynamic update request sent by the DNS client. If they are the same, step 208 is performed. If not, the DNS server rejects the update request. .
步骤 208、 DNS服务器用公钥验证所述 DNS动态更新请求消息中的签名 资源记录, 如果验证通过, 执行步骤 209, 否则, DNS服务器拒绝该更新请 求。  Step 208: The DNS server verifies the signature resource record in the DNS dynamic update request message by using a public key. If the verification is passed, go to step 209. Otherwise, the DNS server rejects the update request.
步骤 209、 DNS服务器完成 DNS客户端所请求的更新, 即更新 DNS资 源记录, 并向 DNS客户端发送更新响应消息。  Step 209: The DNS server completes the update requested by the DNS client, that is, updates the DNS resource record, and sends an update response message to the DNS client.
本发明实施例还公开了一种域名系统动态更新的系统, 如图 1 所示, 该 系统包括 DNS客户端和 DNS服务器。 其中, 所述 DNS客户端用于在网络拓 朴发生变化, 或者在 DNS服务器上进行 DNS注册时, 根据特定规则动态生 成 IP地址; 根据所述 IP地址生成 DNS动态更新请求消息, 并向 DNS服务器 发送所述 DNS动态更新请求消息, 携带所述 IP地址。 所述 DNS客户端进一 步用于利用自身私钥对该 DNS动态更新请求消息进行签名, 生成签名资源记 录; 并将生成的签名资源记录添加到所述 DNS 动态更新请求消息中。 所述 DNS客户端还可以进一步用于生成公钥资源记录,在第一次向所述 DNS服务 器发送 DNS动态更新请求消息的时候, 携带所述公钥资源。 所述 DNS服务 器用于接收所述 DNS客户端发送的 DNS动态更新请求消息; 对所述 DNS动 态更新请求消息进行地址验证; 根据所述 DNS动态更新请求消息更新 DNS 资源记录。 所述 DNS服务器进一步用于根据所述 DNS动态更新请求消息对 所述 DNS客户端进行权限验证。 所述 DNS服务器还可以进一步用于根据所 述 DNS客户端的公钥验证所述 DNS动态更新请求消息中的签名资源记录。 所述 DNS服务器还可以进一步用于在更新 DNS资源记录后, 向所述 DNS客 户端发送更新响应消息。 The embodiment of the invention also discloses a system for dynamically updating a domain name system. As shown in FIG. 1, the system includes a DNS client and a DNS server. The DNS client is configured to dynamically generate an IP address according to a specific rule when the network topology changes, or perform DNS registration on the DNS server; generate a DNS dynamic update request message according to the IP address, and send the DNS dynamic update request message to the DNS server. Sending the DNS dynamic update request message, carrying the IP address. The DNS client is further configured to use the private key to sign the DNS dynamic update request message, generate a signature resource record, and add the generated signature resource record to the DNS dynamic update request message. The DNS client may be further configured to generate a public key resource record, and when the DNS dynamic update request message is sent to the DNS server for the first time, carry the public key resource. The DNS server is configured to receive a DNS dynamic update request message sent by the DNS client, perform address verification on the DNS dynamic update request message, and update a DNS resource record according to the DNS dynamic update request message. The DNS server is further configured to perform rights verification on the DNS client according to the DNS dynamic update request message. The DNS server may be further configured to verify a signature resource record in the DNS dynamic update request message according to the public key of the DNS client. The DNS server may be further configured to: after updating the DNS resource record, to the DNS guest The client sends an update response message.
本发明实施例还公开了一种域名系统客户端, 如图 4 所示, 为本发明实 施例所述 DNS客户端的结构示意图。 该 DNS客户端包括地址生成单元, 请 求消息生成单元, 签名单元, 资源记录生成单元和发送单元。 其中, 地址生 成单元用于在网络拓朴结构发生变化, 或者在 DNS服务器上进行 DNS注册 时, 根据 DNS客户端的自身的信息、 釆用密码学方法动态生成 IP地址, 具体 算法见方法部分。请求消息生成单元,用于根据所述 IP地址生成 DNS动态更 新请求消息, 该更新请求消息的格式就是上述方法中的消息格式, 新的 IP地 址被添加在 Update字段。签名单元,用于根据 DNS客户端自身的私钥对所述 DNS动态更新请求消息进行签名, 并生成签名资源记录, 这个签名资源记录 被添加在该 DNS动态更新请求消息中的附加数据字段, 用于 DNS服务器对 DNS客户端进行签名验证。 资源记录生成单元, 用于生成 DNS客户端的公钥 资源记录, 如果是某一 DNS客户端首次使用某个域名进行注册, 那么要将公 钥资源记录添加 DNS动态更新请求消息中的附加数据字段, DNS服务器在收 到这个公钥资源记录后, 就会利用该公钥资源记录中的公钥对同一域名发送 的 DNS动态更新请求消息进行签名验证。 发送单元, 用于向 DNS服务器发 送所述经过签名的 DNS动态更新请求消息。  The embodiment of the present invention further discloses a domain name system client. As shown in FIG. 4, it is a schematic structural diagram of a DNS client according to an embodiment of the present invention. The DNS client includes an address generating unit, a request message generating unit, a signing unit, a resource record generating unit, and a sending unit. The address generation unit is configured to dynamically generate an IP address according to the information of the DNS client and the cryptographic method when the network topology changes, or when the DNS is registered on the DNS server. The specific algorithm is described in the method section. And a request message generating unit, configured to generate a DNS dynamic update request message according to the IP address, where the format of the update request message is a message format in the foregoing method, and a new IP address is added in the Update field. a signature unit, configured to sign the DNS dynamic update request message according to a private key of the DNS client itself, and generate a signature resource record, where the signature resource record is added in an additional data field in the DNS dynamic update request message, Sign the DNS client for signature verification on the DNS server. The resource record generating unit is configured to generate a public key resource record of the DNS client. If a certain DNS client uses a domain name for registration for the first time, the public key resource record is added to the additional data field in the DNS dynamic update request message. After receiving the public key resource record, the DNS server uses the public key in the public key resource record to perform signature verification on the DNS dynamic update request message sent by the same domain name. And a sending unit, configured to send the signed DNS dynamic update request message to the DNS server.
本发明实施例还公开了一种域名系统服务器, 如图 5 所示, 为本发明实 施例所述域名系统服务器的结构示意图。  The embodiment of the present invention further discloses a domain name system server. As shown in FIG. 5, it is a schematic structural diagram of a domain name system server according to an embodiment of the present invention.
所述域名系统服务器包括存储单元, 用于存储域名系统资源记录。 接收 单元, 用于接收 DNS客户端发送的 DNS动态更新请求消息。 解析单元, 用 于解析所述 DNS动态更新请求消息,获取所述 DNS客户端的信息和 IP地址, 所述的 DNS客户端的信息包括域名、 子网前缀等。 地址生成单元, 用于根据 解析单元获得的所述 DNS客户端的信息, 依照与 DNS客户端同样的规则生 成第二 IP地址, 具体可以依照上述方法流程中规则, 用密码学方法生成该第 二 IP地址。 地址验证单元, 用于通过判断所述 IP地址和第二 IP地址是否相 同, 对所述 DNS客户端进行地址验证, 如果相同, 则通过地址验证, 如果不 相同, 则 DNS服务器拒绝 DNS客户端的更新请求。 域名系统资源记录更新 单元, 用于根据所述 DNS动态更新请求消息更新存储单元中存储的域名系统 资源记录, 在进行 DNS动态更新时, 首先查找存储单元, 如果有与所述 DNS 客户端的域名对应的资源记录, 则修改该资源记录, 如果没有与所述 DNS客 户端的域名对应的 DNS资源记录, 则创建一条新的 DNS资源记录。 The domain name system server includes a storage unit for storing a domain name system resource record. The receiving unit is configured to receive a DNS dynamic update request message sent by the DNS client. The parsing unit is configured to parse the DNS dynamic update request message, and obtain information and an IP address of the DNS client, where the information of the DNS client includes a domain name, a subnet prefix, and the like. An address generating unit, configured to generate a second IP address according to the same rule as the DNS client according to the information of the DNS client obtained by the parsing unit, where the second IP address may be generated by using a cryptographic method according to the rules in the foregoing method flow. address. An address verification unit, configured to determine whether the IP address and the second IP address are related Similarly, the DNS client performs address verification. If the same, the address verification is performed. If not, the DNS server rejects the update request of the DNS client. a domain name system resource record update unit, configured to update a domain name system resource record stored in the storage unit according to the DNS dynamic update request message, and when performing a DNS dynamic update, first searching for a storage unit, if there is a domain name corresponding to the DNS client The resource record is modified, and if there is no DNS resource record corresponding to the domain name of the DNS client, a new DNS resource record is created.
该 DNS服务器还包括: 签名验证单元, 用于根据所述 DNS客户端的公 钥验证所述 DNS动态更新请求消息中的签名资源记录, 如果公钥与该签名资 源记录中的私钥匹配, 则签名验证通过, 所述签名验证单元将签名验证通过 的 DNS动态更新请求消息发送给域名系统资源记录更新单元。  The DNS server further includes: a signature verification unit, configured to verify, according to the public key of the DNS client, a signature resource record in the DNS dynamic update request message, if the public key matches a private key in the signature resource record, the signature After the verification is passed, the signature verification unit sends the DNS dynamic update request message that the signature verification passes to the domain name system resource record update unit.
该 DNS服务器还包括: 权限验证单元, 用于根据解析单元获得的 DNS 客户端的信息判断所述 DNS客户端是否有请求 DNS动态更新的权限, 如果 该 DNS客户端有请求 DNS动态更新的权限, 则将所述 DNS客户端的信息发 送给所述地址生成单元。 发送单元, 当域名系统资源记录更新单元更新完域 名系统资源记录时, 用于向所述 DNS客户端发送更新响应消息, 通知更新已 经完成。  The DNS server further includes: a rights verification unit, configured to determine, according to information of the DNS client obtained by the parsing unit, whether the DNS client has permission to request dynamic DNS update, and if the DNS client has permission to request dynamic DNS update, Sending information of the DNS client to the address generating unit. The sending unit, when the domain name system resource record updating unit updates the domain name system resource record, is configured to send an update response message to the DNS client, to notify that the update has been completed.
本发明实施例支持 IP地址的无状态配置功能,通过关联 DNS客户端公钥、 域名和 IP地址等信息, 利用所生成的 IP地址和相应的公钥保护 DNS的动态 更新, 增强了 DNS动态更新的安全性。  The embodiment of the invention supports the stateless configuration function of the IP address, and the DNS dynamic update is enhanced by using the generated IP address and the corresponding public key to protect the dynamic update of the DNS by associating the public key, the domain name and the IP address of the DNS client. Security.
综上所述, 以上仅为本发明的较佳实施例而已, 并非用于限定本发明的 保护范围。 凡在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改 进等, 均应包含在本发明的保护范围之内。  In conclusion, the above is only a preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims

权 利 要求 书 Claim
1、 一种域名系统动态更新的方法, 其特征在于, 包括以下步骤:  A method for dynamically updating a domain name system, comprising the steps of:
域名系统客户端根据特定规则生成 IP地址;  The domain name system client generates an IP address according to a specific rule;
域名系统客户端根据所述 IP地址生成域名系统动态更新请求消息, 并向域 名系统服务器发送所述域名系统动态更新请求消息, 携带所述 IP地址;  The domain name system client generates a domain name system dynamic update request message according to the IP address, and sends the domain name system dynamic update request message to the domain name system server, and carries the IP address;
域名系统服务器收到所述域名系统动态更新请求消息后, 根据与所述域名 系统客户端相同的规则生成第二 IP地址,若所述 IP地址等于所述第二 IP地址, 完成地址险证;  After receiving the domain name system dynamic update request message, the domain name system server generates a second IP address according to the same rule as the domain name system client, and if the IP address is equal to the second IP address, completes the address insurance certificate;
域名系统服务器根据所述域名系统动态更新请求消息更新域名系统资源记 录。  The domain name system server updates the domain name system resource record based on the domain name system dynamic update request message.
2、 根据权利要求 1所述的域名系统动态更新的方法, 其特征在于, 所述域 名系统客户端根据特定规则生成 IP地址具体是指: 域名系统客户端根据自身的 域名、 子网前缀、 公钥和冲突计数依照密码学方法生成所述 IP地址;  The method for dynamically updating a domain name system according to claim 1, wherein the domain name system client generates an IP address according to a specific rule, specifically: the domain name system client according to its own domain name, subnet prefix, public The key and conflict counts are generated according to a cryptographic method;
所述域名系统服务器根据与所述域名系统客户端相同的规则生成第二 IP地 址具体是指: 所述域名系统服务器根据域名系统客户端的域名、 子网前缀、 公 钥和冲突计数依照密码学方法生成所述第二 IP地址。  The generating, by the domain name system server, the second IP address according to the same rule as the domain name system client means: the domain name system server according to the domain name system client domain name, subnet prefix, public key, and conflict count according to the cryptographic method Generating the second IP address.
3、 根据权利要求 2所述的域名系统动态更新的方法, 其特征在于, 在生成 所述 IP地址或者所述第二 IP地址之前, 将冲突计数清零。  The method for dynamically updating a domain name system according to claim 2, wherein the conflict count is cleared before generating the IP address or the second IP address.
4、 根据权利要求 3所述的域名系统动态更新的方法, 其特征在于, 在所述 域名系统客户端生成所述 IP地址后, 并在所述域名系统客户端生成域名系统动 态更新请求消息之前, 所述方法还包括进行地址重复检测的步骤, 如果发生地 址冲突, 则冲突计数加 1 , 域名系统客户端重新生成 IP地址;  The method for dynamically updating a domain name system according to claim 3, wherein after the domain name system client generates the IP address, and before the domain name system client generates a domain name system dynamic update request message, The method further includes the step of performing address repeat detection. If an address conflict occurs, the conflict count is incremented by one, and the domain name system client regenerates the IP address;
当冲突计数超过一定阔值时, 修改该域名系统客户端所使用的域名或者注 册公钥, 将所述冲突计数清零, 域名系统客户端重新生成 IP地址。  When the conflict count exceeds a certain threshold, modify the domain name used by the domain name system client or register the public key, clear the conflict count, and the domain name system client regenerates the IP address.
5、 根据权利要求 2所述的域名系统动态更新的方法, 其特征在于, 在所述 域名系统客户端生成域名系统动态更新请求消息后, 向域名系统服务器发送所 述域名系统动态更新请求消息前, 所述方法还包括域名系统客户端用自身对应 的私钥对所述域名系统动态更新请求消息进行签名, 生成签名资源记录的步骤。 The method for dynamically updating a domain name system according to claim 2, wherein after the domain name system client generates a domain name system dynamic update request message, the domain name system server is sent to the domain name system server. Before the domain name system dynamic update request message, the method further includes the step of the domain name system client signing the domain name system dynamic update request message with its own private key to generate a signature resource record.
6、 根据权利要求 1或 5所述的域名系统动态更新的方法, 其特征在于, 在 所述域名系统服务器更新域名系统资源记录之前, 所述方法还包括域名系统服 务器对所述域名系统客户端进行权限验证的步骤: 若域名系统服务器确定所述 域名系统客户端请求更新的 IP地址为依照密码学方法生成的 IP地址,则该域名 系统客户端具有更新请求权限。  The method for dynamically updating a domain name system according to claim 1 or 5, wherein before the domain name system server updates the domain name system resource record, the method further comprises: the domain name system server pairing the domain name system client Step of performing rights verification: If the domain name system server determines that the IP address requested by the domain name system client is an IP address generated according to a cryptographic method, the domain name system client has an update request authority.
7、 根据权利要求 6所述的域名系统动态更新的方法, 其特征在于, 所述完成地址验证后更新域名系统资源记录前还包括签名验证的步骤: 所述域名系统服务器根据所述域名系统客户端的公钥验证所述域名系统动 态更新请求消息中的签名资源记录;  The method for dynamically updating a domain name system according to claim 6, wherein the step of verifying the domain name system resource record after completing the address verification further comprises the step of signature verification: the domain name system server according to the domain name system client Ending the public key to verify the signature resource record in the domain name system dynamic update request message;
所述域名系统服务器更新域名系统资源记录后还包括域名系统服务器向域 名系统客户端发送更新响应消息的步骤。  After the domain name system server updates the domain name system resource record, the domain name system server further includes the step of sending an update response message to the domain name system client.
8、 一种域名系统客户端, 其特征在于, 包括:  8. A domain name system client, characterized in that:
地址生成单元, 用于根据所述域名系统客户端的信息根据密码学方法动态 生成 IP地址;  An address generating unit, configured to dynamically generate an IP address according to a cryptographic method according to information of the domain name system client;
请求消息生成单元,用于根据所述 IP地址生成域名系统动态更新请求消息。  And a request message generating unit, configured to generate a domain name system dynamic update request message according to the IP address.
9、 根据权利要求 8所述的域名系统客户端, 其特征在于, 还包括: 签名单元, 用于根据域名系统客户端自身的私钥对所述域名系统动态更新 请求消息进行签名, 并生成签名资源记录。  The domain name system client according to claim 8, further comprising: a signing unit, configured to sign the domain name system dynamic update request message according to a private key of the domain name system client itself, and generate a signature Resource record.
10、 根据权利要求 9 所述的域名系统客户端, 其特征在于, 所述域名系统 客户端还包括:  The domain name system client according to claim 9, wherein the domain name system client further comprises:
资源记录生成单元, 用于生成域名系统客户端的公钥资源记录, 所述公钥 资源记录用于对该域名系统客户端进行签名验证;  a resource record generating unit, configured to generate a public key resource record of the domain name system client, where the public key resource record is used for signature verification of the domain name system client;
发送单元, 用于发送所述经过签名的域名系统动态更新请求消息。  And a sending unit, configured to send the signed domain name system dynamic update request message.
11、 根据权利要求 8至 10中任一权利要求所述的域名系统客户端, 其特征 在于, 所述域名系统客户端的信息包括域名系统客户端自身的域名、 子网前缀、 公钥和冲突计数。 11. A domain name system client according to any one of claims 8 to 10, characterized in that The information of the domain name system client includes the domain name system client's own domain name, subnet prefix, public key, and conflict count.
12、 一种域名系统, 其特征在于, 包括:  12. A domain name system, characterized by comprising:
域名系统客户端, 用于根据特定规则生成 IP地址; 根据所述 IP地址生成域 名系统动态更新请求消息, 并向域名系统服务器发送所述域名系统动态更新请 求消息, 携带所述 IP地址;  a domain name system client, configured to generate an IP address according to a specific rule; generate a domain name system dynamic update request message according to the IP address, and send the domain name system dynamic update request message to the domain name system server, and carry the IP address;
域名系统服务器, 用于接收所述域名系统客户端发送的域名系统动态更新 请求消息; 对所述域名系统动态更新请求消息进行地址验证; 根据所述域名系 统动态更新请求消息更新域名系统资源记录。  a domain name system server, configured to receive a domain name system dynamic update request message sent by the domain name system client, perform address verification on the domain name system dynamic update request message, and update a domain name system resource record according to the domain name system dynamic update request message.
13、 根据权利要求 12所述的域名系统, 其特征在于,  13. The domain name system according to claim 12, characterized in that
所述域名系统服务器进一步用于根据所述域名系统动态更新请求消息对所 述域名系统客户端进行权限验证。  The domain name system server is further configured to perform rights verification on the domain name system client according to the domain name system dynamic update request message.
14、 根据权利要求 12所述的域名系统, 其特征在于,  14. The domain name system of claim 12, wherein
所述域名系统客户端进一步用于利用自身私钥对所述域名系统动态更新请 求消息进行签名; 并将生成的签名资源记录添加到所述域名系统动态更新请求 消息中;  The domain name system client is further configured to use the private key to sign the domain name system dynamic update request message; and add the generated signature resource record to the domain name system dynamic update request message;
所述域名系统服务器进一步用于根据所述域名系统客户端的公钥验证所述 域名系统动态更新请求消息中的签名资源记录。  The domain name system server is further configured to verify the signature resource record in the domain name system dynamic update request message according to the public key of the domain name system client.
15、 根据权利要求 12至 14中任一权利要求所述的域名系统, 其特征在于, 所述域名系统客户端进一步用于生成公钥资源记录, 在第一次向所述域名 系统服务器发送域名系统动态更新请求消息的时候, 携带所述公钥资源;  The domain name system according to any one of claims 12 to 14, wherein the domain name system client is further configured to generate a public key resource record, and send the domain name to the domain name system server for the first time. When the system dynamically updates the request message, the public key resource is carried;
所述域名系统服务器进一步用于在更新域名系统资源记录后, 向所述域名 系统客户端发送更新响应消息。  The domain name system server is further configured to send an update response message to the domain name system client after updating the domain name system resource record.
16、 一种域名系统服务器, 其特征在于, 包括:  16. A domain name system server, comprising:
存储单元, 用于存储域名系统资源记录;  a storage unit, configured to store a domain name system resource record;
接收单元, 用于接收域名系统客户端发送的域名系统动态更新请求消息; 解析单元, 用于解析所述域名系统动态更新请求消息, 获取所述域名系统 客户端的信息和 IP地址; a receiving unit, configured to receive a domain name system dynamic update request message sent by a domain name system client; a parsing unit, configured to parse the domain name system dynamic update request message, and obtain information and an IP address of the domain name system client;
地址生成单元, 用于根据解析单元获得的所述域名系统客户端的信息, 依 照与域名系统客户端同样的规则生成第二 IP地址;  An address generating unit, configured to generate a second IP address according to the same rule as the domain name system client according to the information of the domain name system client obtained by the parsing unit;
地址验证单元, 用于通过判断所述 IP地址和第二 IP地址是否相同, 对所述 域名系统客户端进行地址验证;  An address verification unit, configured to perform address verification on the domain name system client by determining whether the IP address and the second IP address are the same;
域名系统资源记录更新单元, 用于根据所述域名系统动态更新请求消息更 新存储单元中存储的域名系统资源记录。  The domain name system resource record update unit is configured to update the domain name system resource record stored in the storage unit according to the domain name system dynamic update request message.
17、 根据权利要求 16所述的域名系统服务器, 其特征在于, 还包括: 签名验证单元, 用于根据所述域名系统客户端的公钥验证所述域名系统动 态更新请求消息中的签名资源记录。  The domain name system server according to claim 16, further comprising: a signature verification unit, configured to verify the signature resource record in the domain name system dynamic update request message according to the public key of the domain name system client.
18、 根据权利要求 16或 17所述的域名系统服务器, 其特征在于, 还包括: 权限验证单元, 用于根据解析单元获得的域名系统客户端的信息判断所述 域名系统客户端是否有请求域名系统动态更新的权限, 如果该域名系统客户端 有请求域名系统动态更新的权限, 则将所述域名系统客户端的信息发送给所述 地址生成单元;  The domain name system server according to claim 16 or 17, further comprising: a rights verification unit, configured to determine, according to the information of the domain name system client obtained by the parsing unit, whether the domain name system client requests the domain name system The dynamically updated permission, if the domain name system client has the right to request the domain name system to dynamically update, the information of the domain name system client is sent to the address generating unit;
发送单元, 用于向所述域名系统客户端发送更新响应消息, 通知更新已经 完成。  And a sending unit, configured to send an update response message to the domain name system client, to notify that the update has been completed.
PCT/CN2008/070553 2007-03-26 2008-03-21 Method, device and system for domain name system to update dynamically WO2008116416A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2007100736693A CN101277257B (en) 2007-03-26 2007-03-26 Method, apparatus and system for dynamically updating DNS
CN200710073669.3 2007-03-26

Publications (1)

Publication Number Publication Date
WO2008116416A1 true WO2008116416A1 (en) 2008-10-02

Family

ID=39788057

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070553 WO2008116416A1 (en) 2007-03-26 2008-03-21 Method, device and system for domain name system to update dynamically

Country Status (2)

Country Link
CN (1) CN101277257B (en)
WO (1) WO2008116416A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102148882A (en) * 2011-04-25 2011-08-10 中国联合网络通信集团有限公司 Dynamic domain name analytic method and system after deployment of NAT
CN103621036A (en) * 2012-06-15 2014-03-05 华为技术有限公司 Registration method, device, and system
CN107580029A (en) * 2012-01-28 2018-01-12 瑞科网信科技有限公司 Computer-readable recording medium
CN111756678A (en) * 2019-03-29 2020-10-09 华为技术有限公司 Information verification method, device and equipment

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102035809B (en) * 2009-09-29 2013-04-24 成都市华为赛门铁克科技有限公司 Method, equipment and system for defending cache poison
US8560633B2 (en) * 2010-01-11 2013-10-15 Tangome, Inc. Communicating in a peer-to-peer computer environment
US8719900B2 (en) * 2010-05-18 2014-05-06 Amazon Technologies, Inc. Validating updates to domain name system records
US9130917B2 (en) * 2011-05-02 2015-09-08 Verisign, Inc. DNSSEC signing server
CN102291268B (en) * 2011-09-23 2014-11-26 杜跃进 Safety domain name server and hostile domain name monitoring system and method based on same
CN103380607B (en) * 2011-12-08 2015-11-25 华为技术有限公司 Method, Apparatus and system that DNS client address, RR TTL upgrade
CN103957282B (en) * 2013-09-12 2017-11-14 赛尔网络有限公司 Terminal user's domain name mapping acceleration system and its method in a kind of domain
KR101655822B1 (en) * 2015-06-29 2016-09-22 현대자동차주식회사 Method and program for accessing internet protocol, and telematics device and computer readable medium for performing the same
CN105072210A (en) * 2015-07-17 2015-11-18 中国互联网络信息中心 DSN data updating system and method for verifying domain name information
US9894041B2 (en) * 2015-09-25 2018-02-13 Microsoft Technology Licensing, Llc Secure domain name resolution in computer networks
CN106873405A (en) * 2015-12-11 2017-06-20 重庆川仪自动化股份有限公司 Controller automatically configures device and its method of automatic configuration
CN105516389B (en) * 2015-12-23 2019-01-08 郑州悉知信息科技股份有限公司 The amending method and device of domain name and IP mapping relations
CN106534173B (en) * 2016-12-07 2019-10-18 浙江宇视科技有限公司 A kind of method for processing business and device
WO2018214112A1 (en) * 2017-05-25 2018-11-29 深圳市伊特利网络科技有限公司 Method and system for maintaining ip address in network link
CN108055168B (en) * 2017-12-29 2021-06-04 广州品唯软件有限公司 Http protocol debugging system, device and method
CN109347836B (en) * 2018-10-25 2020-12-15 安徽问天量子科技股份有限公司 IPv6 network node identity safety protection method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1435974A (en) * 2002-01-29 2003-08-13 三星电子株式会社 Domain name management method and apparatus
CN1499396A (en) * 2002-10-24 2004-05-26 �Ҵ���˾ Method and device for maintaining internet field names data
CN1694459A (en) * 2005-04-13 2005-11-09 北京交通大学 Method for updating dynamic field name in IPv6 network
WO2006090392A2 (en) * 2005-02-24 2006-08-31 Rsa Security Inc. System and method for detecting and mitigating dns spoofing trojans

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1435974A (en) * 2002-01-29 2003-08-13 三星电子株式会社 Domain name management method and apparatus
CN1499396A (en) * 2002-10-24 2004-05-26 �Ҵ���˾ Method and device for maintaining internet field names data
WO2006090392A2 (en) * 2005-02-24 2006-08-31 Rsa Security Inc. System and method for detecting and mitigating dns spoofing trojans
CN1694459A (en) * 2005-04-13 2005-11-09 北京交通大学 Method for updating dynamic field name in IPv6 network

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102148882A (en) * 2011-04-25 2011-08-10 中国联合网络通信集团有限公司 Dynamic domain name analytic method and system after deployment of NAT
CN102148882B (en) * 2011-04-25 2013-10-09 中国联合网络通信集团有限公司 Dynamic domain name analytic method and system after deployment of NAT
CN107580029A (en) * 2012-01-28 2018-01-12 瑞科网信科技有限公司 Computer-readable recording medium
CN107580029B (en) * 2012-01-28 2021-01-22 瑞科网信科技有限公司 Computer readable storage medium
CN103621036A (en) * 2012-06-15 2014-03-05 华为技术有限公司 Registration method, device, and system
CN111756678A (en) * 2019-03-29 2020-10-09 华为技术有限公司 Information verification method, device and equipment
CN111756678B (en) * 2019-03-29 2023-03-28 华为技术有限公司 Information verification method, device and equipment

Also Published As

Publication number Publication date
CN101277257A (en) 2008-10-01
CN101277257B (en) 2012-02-01

Similar Documents

Publication Publication Date Title
WO2008116416A1 (en) Method, device and system for domain name system to update dynamically
Arends et al. Protocol modifications for the DNS security extensions
US9088415B2 (en) Authentication of cache DNS server responses
JP4302398B2 (en) Internet protocol addressing mechanism
US7471684B2 (en) Preventing asynchronous ARP cache poisoning of multiple hosts
US8843751B2 (en) IP address delegation
US8656490B1 (en) Safe and secure access to dynamic domain name systems
JP2000349747A (en) Public key managing method
Schlyter et al. Using DNS to securely publish secure shell (SSH) key fingerprints
WO2014117600A1 (en) Dns-based method and system for user authentication and domain name access control
WO2009143721A1 (en) Method, apparatus and system for processing dynamic host configuration protocol message
JP2014207510A (en) Certificate generation method, certificate generation device, information processing device, communication apparatus, and program
WO2013013479A1 (en) Entity identifier allocation system, tracing and authentication method and server
Laganier Host Identity Protocol (HIP) Domain Name System (DNS) Extension
CN109951481B (en) Information processing method and system based on block chain network adjacent nodes
WO2009043304A1 (en) Method, system, and device for verifying the relation of dada link layer address and its transmitting party
CN114338522A (en) IPv6 addressing and networking method based on identification management
CN115580498B (en) Cross-network communication method in converged network and converged network system
Rafiee et al. DNS update extension to IPv6 secure addressing
Su et al. Secure DHCPv6 that uses RSA authentication integrated with self-certified address
Vixie et al. RFC2845: Secret Key Transaction Authentication for DNS (TSIG)
Rafiee et al. Challenges and Solutions for DNS Security in IPv6
Chandramouli et al. Open issues in secure DNS deployment
Moskowitz et al. RFC 9374: DRIP Entity Tag (DET) for Unmanned Aircraft System Remote ID (UAS RID)
Moskowitz et al. DRIP Entity Tag (DET) for Unmanned Aircraft System Remote Identification (UAS RID) draft-ietf-drip-rid-13

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08715289

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08715289

Country of ref document: EP

Kind code of ref document: A1