DS resource record
Printer Friendly Format
Bookmark this page
Back to "Domain Name System"DS resource record serve the concatenation of DNSSEC marked zones. Thus several DNS zones can be combined into a chain OF Trust and be validated over only one public conclusions.
Background
Publication IC key systems are considered today as efficient and variously applicable coding procedures. The owner of a key signatoryly for example private key admitted a message with only it. A receiver can verify this signature with help corresponding public keys and thus guarantee that the message actually comes from the sender and that it is genuine.
A Grundproblem of publication IC key systems is the distribution of the public keys: How does a user announce its Public key of the The actual problem with the employment of DNSSEC consists of the fact that the number of zones (and thus the number of keys) can become of any size. In addition such keys must be renewed regularly.
The philosophy is to concatenate all zones involved and to only use the highest as Secure entry POINT. Only for these a zone is necessary publicising the public key.
Structure
A DS record arises always together with to LV resource record. Both refer to a Subzone. In the DS record the Hash of the Secure entry POINTs of the Subzone lies off. Each DS entry becomes with the zone key of the zone, in which it is digitally signed. Thus the public key of these Subzone can be validated. A Subzone can for its part contain DS records, which refer to further Subzonen. Thus a chain, the so-called chain OF Trust develops on the basis of the highest zone.
A DNSKEY RR exists the following fields:
Label name to misjudge-end of the SubzoneTyp DS (type code 43) ID identification number (key day) coding procedure 1=RSA/MD5, 2=Diffie Hellman, 3=DSAHash-Typ 1=SHA-1, 2=SHA-256HashExample
In this example from the zone f-beispiel.de by delegation to the Subzone filiale1.f-beispiel.de one refers out. The Hash specified in the DS record corresponds to the key signing key of the Subzone filiale1.f-beispiel.de.
filiale1.f-beispiel.de. LV NSF filiale1.f-beispiel.de. DS; Type 52037; Identification number 1; Coding procedure 1; Hash type 378929E92D7DA04267EE87E802D75C5CA1B5D280
Weak point
Over to a chain OF Trust to be taken up, must be conveyed the public key of a zone of the superordinate zone. That can be difficult, if this by an instance outside of the own sphere of influence is administered and offers therefore points of attack.
References
- RFC 4034 - Resource record for the DNS Security Extension
- RFC 4509 - Use OF SHA-256 in DNSSEC delegation Signer (DS) resource record
Back to topArticles in category "DS resource record"
We found here 15 articles.
Related Websites
We found here 4 related websites.
- Network Working Group O. Gudmundsson Request for Comments: 3658 ...
Abstract The delegation signer (DS) resource record (RR) is inserted at a zone ... RFC 3090: Updates to section 1: Introduction Most of the text is still ... - RFC 3658
RFC 3658 (RFC3658) at The RFC Archive - RFC 3658 Delegation Signer (DS) Resource Record (RR)
The intent is to use this resource record as an explicit statement about the delegation, rather than relying on inference. This document defines the DS RR, ... - RFC 4509
Abstract This document specifies how to use the SHA-256 digest type in DNS Delegation Signer (DS) Resource Records (RRs). DS records, when stored in a ...
Index | Privacy | Terms Of Use | Sitemap | Feedback
