Abstract
The Domain Name System Security Extensions (DNSSEC) architecture is based on public-key cryptography. A secure DNS zone has one or more keys and signs its resource records with these keys in order to provide two security services: data integrity and authentication. These services allow to protect DNS transactions and permit the detection of attempted attacks on DNS.
The DNSSEC validation process is based on the establishment of a chain of trust between zones. This chain needs a secure entry point: a DNS zone whose at least one key is trusted. In this paper we study a critical problem associated to the key rollover in DNSSEC: the trusted keys rollover problem. We propose an algorithm that allows a resolver to update its trusted keys automatically and in a secure way without any delay or any break of the DNS service.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Eastlake, D.: Domain Name System Security Extensions. RFC 2535 (1999)
Arends, R., Larson, M., Massey, D., Rose, S.: DNS Security Introduction and Requirements. Draft IETF, work in progress (2004)
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Protocol Modifications for the DNS Security Extensions. Draft IETF, work in progress (2004)
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Resource Records for the DNS Security Extensions. Draft IETF, work in progress (2004)
Gieben, R.: Chain of Trust. Master’s Thesis, NLnet Labs (2001)
Kolkman, O., Schlyter, J., Lewis, E.: Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag. RFC 3757 (2004)
Guette, G., Courtay, O.: KRO: A Key RollOver Algorithm for DNSSEC. In: International Conference on Information and Communication (ICICT 2003) (2003)
Mockapetris, P.: Domain Names - Concept and Facilities. RFC 1034 (1987)
Albitz, P., Liu, C.: DNS and BIND, 4th edn. O’Reilly & Associates, Inc., Sebastopol (2002)
Gundmundsson, O.: Delegation Signer Resource Record. RFC 3658 (2003)
Eastlake, D.: Secret Key Establishment for DNS (TKEY RR). RFC 2930 (2000)
Massey, D., Rose, S.: Limiting the Scope of the KEY Resource Record (RR). RFC 3445 (2002)
Kolkman, O., Gieben, R.: DNSSEC operational practices. Draft IETF, work in progress (2004)
St. Johns, M.: Automated Updates of DNSSEC Trust Anchors. Draft IETF, work in progress (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Guette, G., Cousin, B., Fort, D. (2005). Algorithm for DNSSEC Trusted Key Rollover. In: Kim, C. (eds) Information Networking. Convergence in Broadband and Mobile Networking. ICOIN 2005. Lecture Notes in Computer Science, vol 3391. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30582-8_71
Download citation
DOI: https://doi.org/10.1007/978-3-540-30582-8_71
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-24467-7
Online ISBN: 978-3-540-30582-8
eBook Packages: Computer ScienceComputer Science (R0)