Web Site

Domain-name-system.org

» Domain Name System » Topics begins with D » DNSKEY resource record

Printer Friendly FormatPrinter Friendly Format
Bookmark page - DNSKEY resource recordBookmark this page
Back to Domain Name SystemBack to "Domain Name System"
Page modified: Friday, June 23, 2006 20:29:01

DNSKEY resource record serve publicising public keys by DNS. DNSKEY records are used in the framework by DNSSEC (DNS Security) and replaced 2004 the almost identical KEYS resource record.

Background

Publication IC key systems are considered today as efficient and variously applicable coding procedures. The owner of a key signatoryly for example private key admitted a message with only it. A receiver can verify this signature with help corresponding public keys and thus guarantee that the message actually comes from the sender and that it is genuine.

A Grundproblem of publication IC key systems is the distribution of the public keys: How does a user announce its Public key of the The procedure described here uses DNS. The owner of the key puts this down as DNSKEY RR on a publicly DNS server. Everyone, which needs the Public key this users, sends an appropriate DNS inquiry. As answer it receives then the public key. The procedure corresponds thereby to publicising of IP addresses.

In practice this kind of publicising is not sufficient however, since a complete zone can be falsified. The Public key must be brought therefore manually as Trusted key into the resolver.

Structure

A DNSKEY RR consists of the following fields:

Label name of the owner of the only IN type of permissible DNSKEYFlags additional data like e.g. host, zone or key signing keys. In the context of DNSSEC 256=Zone and uses minutes 1=TLS, 2=email, 3=DNSSEC, 4=IPsec, 1=RSA/MD5, 2=Diffie Hellman,

Examples

child.example IN DNSKEY (256; Zone key 3; dnssec 3; DSA coding BOPdJjdc/ZQWCVA/ONz6LjvugMnB2KKL3F1D2i9Gdrpi rcWRKS2DfRn5KiMM2HQXBHv0ZdkFs/tmjg7rYxrN+bzB NrlwfU5RMjioi67PthD07EHbZjwoZ5sKC2BZ/M596hyg fx5JAvbIWBQVF+ztiuCnWCkbGvVXwsmE+odINCur+o+E jA9hF06LqTviUJKqTxisQO5OHM/0ufNenzIbijJPTXbU cF3vW+CMlX+AUPLSag7YnhWaEu7BLCKfg3vJVw9mtaN2 W3oWPRdebGUf/QfyVKXoWD6zDLByCZh4wKvpcwgAsel4 bO5LVe7s8qstSxqrwzmvaZ5XYOMZFbN7CXtutiswAkb0 pkehIYime6IRkDwWDG+14H5yriRuCDK3m7GvwxMo+ggV 0k3Po9LD5wWSIi1N) 

f-beispiel.de. IN DNSKEY (257; Key signing key 3; DNSSEC 1; RSA coding AQOW4333ZLdOHLRk+3Xe6RAaCQAOMhAVJu2T xqmk1Kyc13h69/wh1zhDk2jjqxsN6dVAFi16 CUoynd7/EfaXdcjL)

Security of the procedure

Publicising of a public key by DNS is sufficiently safe only if the appropriate DNSKEY RR is secured by DNSSEC by a RRSIG resource record digitally signed and the DNS Request. Publicising by a X.509-Zertifikat is still safer, but very many more and more expensively.

Related links
  • RFC 4034 - Resource record for the DNS Security Extension
    •  



Printer Friendly FormatPrinter Friendly Format
Back to topBack to top
Back to Domain Name SystemBack to "Domain Name System"
Back to topBack to top
Back to Domain Name SystemBack to "Domain Name System"
Related Websites
We found here 4 related websites.
Back to topBack to top
Back to Domain Name SystemBack to "Domain Name System"
Page cached: Wednesday, July  5, 2006 14:16:00
Valid XHTML 1.0!  Valid CSS!
Page copy protected against web site content infringement by Copyscape