How keying info gets used to validate DNS information

New releases of BIND in the winter of '97-98 will integrate cryptographic validity checking. Received resource records will have their digital signatures checked, to make sure they are signed by the zone's key. Once the records are validated, the key will also be validated, to make sure it has been signed by the super-zone. This validation proceeds up the hierarchy of zones, to a key that was listed in BIND's config file, such as the public key for the DNS root zone. Of course, these keys are fetched and validated once, and are then cached locally, rather than slowing down each DNS request.

If a zone doesn't publish a key, then BIND will accept any plausible-looking records, without a digital signature, just like in the original "insecure" DNS. This provides compatability with existing DNS zones, allowing Secure DNS to be gradually introduced throughout the Internet wihhout disruption.

Next page: Government controls (or the lack thereof) ; Up: Domain Name System Security home page