How keying info gets used to validate DNS information
New releases of BIND in the
winter of '97-98 will integrate cryptographic validity checking. Received
resource records will have their digital signatures checked, to make
sure they are signed by the zone's key. Once the records are
validated, the key will also be validated, to make sure it has been
signed by the super-zone. This validation proceeds up the hierarchy
of zones, to a key that was listed in BIND's config file, such as the
public key for the DNS root zone. Of course, these keys are fetched
and validated once, and are then cached locally, rather than slowing
down each DNS request.
If a zone doesn't publish a key, then BIND will accept any
plausible-looking records, without a digital signature, just like in the
original "insecure" DNS. This provides compatability with existing
DNS zones, allowing Secure DNS to be gradually introduced throughout
the Internet wihhout disruption.
Next page: Government controls (or the lack thereof)
; Up: Domain Name System Security home page