Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


February 2002

A Secure Transaction


From the February 2002 Edition
of Windows IT Pro
Tao Zhou
Feature
InstantDoc #23556
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Domain Name System (DNS) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
Main Article    Maximizing BIND DNS Security

When a DNS client queries the sample record www.us.example.com, the DNS Security (DNSSEC) server running the secure zone us.example.com sends the client www.us.example.com's original A resource record (RR) with its corresponding SIG RR and the zone's KEY RR with its SIG RR. If the client is DNSSEC-enabled, it first checks the signature-validation time in the A RR's corresponding SIG RR. If the signature starting time is later than the current time or if the signature expiration time is earlier than the current time, the client rejects the A RR. If the signature-validation time is acceptable, the client then uses the public key and the algorithm in the KEY RR to verify the signature in the A RR's SIG RR.

After validating the A RR's signature, the client verifies us.example.com's public key signature (which the client used to check the integrity of the A RR). The parent zone example.com signed us.example.com's public key, so the client requests example.com's public key (if the client doesn't already have the key locally or in its cache). If the client trusts example.com's public key and thus verifies the validity of us.example.com's public key, the client then accepts that the query response is truly from us.example.com.

The verification of the signer's public key can be recursive until the client finds a trusted signer. In DNSSEC, this trusted signer could be the Internet root zone running on the Internet root DNS servers. Therefore, you should preconfigure at least one trusted key in a DNSSEC-enabled client's local computer. This key can be the Internet root zone's public key if the client trusts only the root zone.

Suppose a client queries the signed zone us.example.com for a nonexistent record, product.us.example.com. The zone us.example.com doesn't contain that record, so the DNS server instead sends the client the record ns1.us.acme.com, which is the record that falls alphabetically before the requested nonexistent record. The NXT record in ns1.us.example.com indicates that the next record is www.us.example.com. Thus, the client can ascertain that no record exists between ns1.us.example.com and www.us.example.com—product.us.example.com doesn't exist.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

How can I stop and start services from the command line?

...

PsExec

This freeware utility lets you execute processes on a remote system and redirect output to the local system. ...
Security Whitepapers The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management

Protecting (You and) Your Data with Exchange Server 2007
Related Events How IE7 & The New Extended Validation SSL Certificates Impact Your Site

Top 10 Email Security Challenges and Solutions

Introduction to Identity Lifecycle Manager "2"

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Register for Orion NPM v9 - Evaluation
Affordable, easy-to-use network performance management with SolarWinds Orion – Free Trial!

Want a Hardware-Independent Image?
Binary Research, the Ghost people, shows you how to clone with 1!

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing