G 32kb in 10 seconds 84 42 12313 valida7ng ne grained

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: at happens when the real DNS reply shows up? •  Likely not be a problem –  There is no outstanding query aCer fake reply is accepted –  So real reply will be discarded Computer Networks 63 DNSSEC (DNS Security Extensions) •  Extends DNS with new record types –  –  –  –  RRSIG for digital signatures of records DNSKEY for public keys for valida7on DS for public keys for delega7on First version in ‘97, revised by ’05 •  Deployment requires soCware upgrade at both client and server –  Root servers upgraded in 2010 –  Followed by up7ck in deployment Computer Networks 64 32 12/3/13 DNSSEC (2) – New Records •  As well as the usual A, NS records: •  RRSIG –  Digital signatures of domain records •  DNSKEY –  Public key used for domain RRSIGs •  DS –  Public keys for delegated domain •  NSEC/NSEC3 –  Authen7cated denial of existence Computer Networks 65 DNSSEC (3) – Valida7ng Replies •  Clients query DNS as usual, then validate replies to check that content is authen7c •  Trust anchor is root public keys –  Part of DNS client configura7on •  Trust proceeds...
View Full Document

{[ snackBarMessage ]}

Ask a homework question - tutors are online