CA2686142A1 - Alternate dns root nameservice for dnssec purposes - Google Patents

Alternate dns root nameservice for dnssec purposes Download PDF

Info

Publication number
CA2686142A1
CA2686142A1 CA2686142A CA2686142A CA2686142A1 CA 2686142 A1 CA2686142 A1 CA 2686142A1 CA 2686142 A CA2686142 A CA 2686142A CA 2686142 A CA2686142 A CA 2686142A CA 2686142 A1 CA2686142 A1 CA 2686142A1
Authority
CA
Canada
Prior art keywords
root
zone
nameservice
dns
dnssec
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
CA2686142A
Other languages
French (fr)
Inventor
Thierry Moreau
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Connotech Experts Conseils Inc
Original Assignee
Connotech Experts Conseils Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Connotech Experts Conseils Inc filed Critical Connotech Experts Conseils Inc
Priority to CA2686142A priority Critical patent/CA2686142A1/en
Publication of CA2686142A1 publication Critical patent/CA2686142A1/en
Abandoned legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information

Abstract

The Internet DNS (Domain Name System) may be integrity protected with the deployment of the DNSSEC protocol extension at the root zone. The inventive methods allow a common DNSSEC-related cryptographic key configuration, also called trust anchor, to be used for a number of independent alternate root nameservice operators, each operating its own set of root nameservers. A single root signing entity feeds each nameserver operators with its own version of the signed DNS root zone. The inventive processes allow these versions to coexist on the public Internet gracefully.
It thus allows the load on root nameservers to be shared, and a DNS resolver to switch from one alternate nameservice operator to the other with minimal disturbance. The preferred embodiment is such that the exact same substantive root zone contents is delivered either by the official DNS root zone or an alternate root nameservice fed by an independent root signing entity.

Claims (2)

-12-What is claimed is:
1. A method of servicing a signed DNS root zone to a network from at least one host in a first set of hosts where a) substantially the same DNS root zone is being serviced concurrently from at least one node in a second set of hosts, b) the zone apex NS RRset serviced from hosts in said first set contains the respective domain names of hosts in said first set and is signed with a digital signature key pair, and c) the zone apex NS RRset serviced from hosts in said second set contains the respective domain names of hosts in said second set and is signed with said digital signature key pair.
2. A method of preparing a DNS root zone for DNSSEC service to a network where a) a plurality of variants is prepared with substantially the same signed DNS
root zone contents, b) each of said plurality of variants has a zone apex NS RRset containing a set of domain names non intersecting with other variants, c) each of said plurality of variants has its zone apex NS RRset signed with a common digital signature key pair, and d) each of said plurality of variants have signature inception and expiration times allowing ordinarily concurrent DNSSEC servicing of said DNS root zone.
CA2686142A 2009-11-20 2009-11-20 Alternate dns root nameservice for dnssec purposes Abandoned CA2686142A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CA2686142A CA2686142A1 (en) 2009-11-20 2009-11-20 Alternate dns root nameservice for dnssec purposes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CA2686142A CA2686142A1 (en) 2009-11-20 2009-11-20 Alternate dns root nameservice for dnssec purposes

Publications (1)

Publication Number Publication Date
CA2686142A1 true CA2686142A1 (en) 2011-05-20

Family

ID=44063351

Family Applications (1)

Application Number Title Priority Date Filing Date
CA2686142A Abandoned CA2686142A1 (en) 2009-11-20 2009-11-20 Alternate dns root nameservice for dnssec purposes

Country Status (1)

Country Link
CA (1) CA2686142A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11792079B2 (en) * 2011-12-30 2023-10-17 Verisign, Inc. DNS package in a network

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11792079B2 (en) * 2011-12-30 2023-10-17 Verisign, Inc. DNS package in a network

Similar Documents

Publication Publication Date Title
US8850553B2 (en) Service binding
WO2007064744A3 (en) Extending sso for dhcp snooping to two box redundancy
WO2011079145A3 (en) Systems and methods for mixed mode handling of ipv6 and ipv4 traffic by a virtual server
US20130036307A1 (en) Authentication of cache dns server responses
CA2586223A1 (en) Opt-in process and nameserver system for ietf dnssec
Dukhovni et al. The DNS-based authentication of named entities (DANE) protocol: updates and operational guidance
WO2007100641A3 (en) Communication using private ip addresses of local networks
TW200737883A (en) Method and apparatus for managing hardware address resolution
WO2006031748A3 (en) System and method for connection optimization
EP1389377A4 (en) Network security system
CN106487807A (en) A kind of means of defence of domain name mapping and device
Laganier Host Identity Protocol (HIP) Domain Name System (DNS) Extension
Cowperthwaite et al. The futility of DNSSec
Herzberg et al. Towards adoption of dnssec: Availability and security challenges
Gayraud et al. Network Time Protocol (NTP) Server Option for DHCPv6
Grothoff et al. NSA’s MORECOWBELL: knell for DNS
CA2686142A1 (en) Alternate dns root nameservice for dnssec purposes
JP2017525311A5 (en)
Henderson et al. Using the Host Identity Protocol with legacy applications
FI20055552L (en) Method, system, and proxy server for an IP shared service provisioning network
Thaler Unicast-prefix-based ipv4 multicast addresses
CN108965260B (en) Message processing method, bastion machine and terminal equipment
Pfister et al. Discovering provisioning domain names and data
WO2009129037A3 (en) Method and system for creating and managing a variable number of visible interne protocol (ip) addresses
Guillard DNSSEC operational impact and performance

Legal Events

Date Code Title Description
FZDE Discontinued

Effective date: 20121011