CA2686142A1 - Alternate dns root nameservice for dnssec purposes - Google Patents
Alternate dns root nameservice for dnssec purposes Download PDFInfo
- Publication number
- CA2686142A1 CA2686142A1 CA2686142A CA2686142A CA2686142A1 CA 2686142 A1 CA2686142 A1 CA 2686142A1 CA 2686142 A CA2686142 A CA 2686142A CA 2686142 A CA2686142 A CA 2686142A CA 2686142 A1 CA2686142 A1 CA 2686142A1
- Authority
- CA
- Canada
- Prior art keywords
- root
- zone
- nameservice
- dns
- dnssec
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
Abstract
The Internet DNS (Domain Name System) may be integrity protected with the deployment of the DNSSEC protocol extension at the root zone. The inventive methods allow a common DNSSEC-related cryptographic key configuration, also called trust anchor, to be used for a number of independent alternate root nameservice operators, each operating its own set of root nameservers. A single root signing entity feeds each nameserver operators with its own version of the signed DNS root zone. The inventive processes allow these versions to coexist on the public Internet gracefully.
It thus allows the load on root nameservers to be shared, and a DNS resolver to switch from one alternate nameservice operator to the other with minimal disturbance. The preferred embodiment is such that the exact same substantive root zone contents is delivered either by the official DNS root zone or an alternate root nameservice fed by an independent root signing entity.
It thus allows the load on root nameservers to be shared, and a DNS resolver to switch from one alternate nameservice operator to the other with minimal disturbance. The preferred embodiment is such that the exact same substantive root zone contents is delivered either by the official DNS root zone or an alternate root nameservice fed by an independent root signing entity.
Claims (2)
1. A method of servicing a signed DNS root zone to a network from at least one host in a first set of hosts where a) substantially the same DNS root zone is being serviced concurrently from at least one node in a second set of hosts, b) the zone apex NS RRset serviced from hosts in said first set contains the respective domain names of hosts in said first set and is signed with a digital signature key pair, and c) the zone apex NS RRset serviced from hosts in said second set contains the respective domain names of hosts in said second set and is signed with said digital signature key pair.
2. A method of preparing a DNS root zone for DNSSEC service to a network where a) a plurality of variants is prepared with substantially the same signed DNS
root zone contents, b) each of said plurality of variants has a zone apex NS RRset containing a set of domain names non intersecting with other variants, c) each of said plurality of variants has its zone apex NS RRset signed with a common digital signature key pair, and d) each of said plurality of variants have signature inception and expiration times allowing ordinarily concurrent DNSSEC servicing of said DNS root zone.
root zone contents, b) each of said plurality of variants has a zone apex NS RRset containing a set of domain names non intersecting with other variants, c) each of said plurality of variants has its zone apex NS RRset signed with a common digital signature key pair, and d) each of said plurality of variants have signature inception and expiration times allowing ordinarily concurrent DNSSEC servicing of said DNS root zone.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CA2686142A CA2686142A1 (en) | 2009-11-20 | 2009-11-20 | Alternate dns root nameservice for dnssec purposes |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CA2686142A CA2686142A1 (en) | 2009-11-20 | 2009-11-20 | Alternate dns root nameservice for dnssec purposes |
Publications (1)
Publication Number | Publication Date |
---|---|
CA2686142A1 true CA2686142A1 (en) | 2011-05-20 |
Family
ID=44063351
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA2686142A Abandoned CA2686142A1 (en) | 2009-11-20 | 2009-11-20 | Alternate dns root nameservice for dnssec purposes |
Country Status (1)
Country | Link |
---|---|
CA (1) | CA2686142A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11792079B2 (en) * | 2011-12-30 | 2023-10-17 | Verisign, Inc. | DNS package in a network |
-
2009
- 2009-11-20 CA CA2686142A patent/CA2686142A1/en not_active Abandoned
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11792079B2 (en) * | 2011-12-30 | 2023-10-17 | Verisign, Inc. | DNS package in a network |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8850553B2 (en) | Service binding | |
WO2007064744A3 (en) | Extending sso for dhcp snooping to two box redundancy | |
WO2011079145A3 (en) | Systems and methods for mixed mode handling of ipv6 and ipv4 traffic by a virtual server | |
US20130036307A1 (en) | Authentication of cache dns server responses | |
CA2586223A1 (en) | Opt-in process and nameserver system for ietf dnssec | |
Dukhovni et al. | The DNS-based authentication of named entities (DANE) protocol: updates and operational guidance | |
WO2007100641A3 (en) | Communication using private ip addresses of local networks | |
TW200737883A (en) | Method and apparatus for managing hardware address resolution | |
WO2006031748A3 (en) | System and method for connection optimization | |
EP1389377A4 (en) | Network security system | |
CN106487807A (en) | A kind of means of defence of domain name mapping and device | |
Laganier | Host Identity Protocol (HIP) Domain Name System (DNS) Extension | |
Cowperthwaite et al. | The futility of DNSSec | |
Herzberg et al. | Towards adoption of dnssec: Availability and security challenges | |
Gayraud et al. | Network Time Protocol (NTP) Server Option for DHCPv6 | |
Grothoff et al. | NSA’s MORECOWBELL: knell for DNS | |
CA2686142A1 (en) | Alternate dns root nameservice for dnssec purposes | |
JP2017525311A5 (en) | ||
Henderson et al. | Using the Host Identity Protocol with legacy applications | |
FI20055552L (en) | Method, system, and proxy server for an IP shared service provisioning network | |
Thaler | Unicast-prefix-based ipv4 multicast addresses | |
CN108965260B (en) | Message processing method, bastion machine and terminal equipment | |
Pfister et al. | Discovering provisioning domain names and data | |
WO2009129037A3 (en) | Method and system for creating and managing a variable number of visible interne protocol (ip) addresses | |
Guillard | DNSSEC operational impact and performance |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FZDE | Discontinued |
Effective date: 20121011 |