Abstract
The domain name system is a tree-hierarchical naming system for services that can be accessed over the Internet. At the top of the inverted DNS tree (see Fig. 4.1) is the root. Below the root are generic top level domains (gTLD) like com, org, net, edu, etc., and country-code top level domains (ccTLD) like br, ca, etc. A leaf named b.cs.univ.edu in the DNS tree is a server-host in a branch cs.univ.edu, which stems from a thicker branch univ.edu, which stems from an even thicker branch .edu, stemming from the root of the DNS tree.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Note that zone univ.edu (or even edu) cannot be authoritative for the zone dserv.net. Thus, while univ.edu can provide an authoritative response regarding the name of the ANS for the child zone cs.univ.edu, it cannot provide an authoritative A-type record for the server ns1.dserv.net. To avoid possible circular dependency problems, the necessary nonauthoritative A-type records are included as glue records.
- 2.
Typically, IP addresses of LDNSs are provided to a host by a DHCP server. In UNIX-like machines the IP addresses of LDNS are stored in a file/etc/resolv.conf.
- 3.
Typically chosen by the operating system.
- 4.
Or, more generally, can exert some form of control over a computer in the same LAN as the server or the resolver.
- 5.
If the next-hop is a LDNS, when an invalid response is received, the LDNS will send the query again or query another ANS. Similarly if the next-hop is a stub-resolver C, then C will resend the query or query another LDNS.
- 6.
The value W is obtained from the NS type RRSet for the parent zone W, which was obtained by querying W’s parent—the root.
- 7.
Just as there is nothing that stops an authority of example.com from signing an RRSet for www.yahoo.com in DNSSEC, in TCB-DNS a zone authority can authenticate any value. However, resolvers will not accept RRSet as valid as \(Z_{name} = h(\mbox{\tt example.com})\) is not a parent of www.yahoo.com .
- 8.
The TTL value specifies how long an RR can be cached by resolvers.
- 9.
Thus, there are two ways in which NSEC3 fails to realize assurance A3: (i) by being susceptible to simple dictionary attacks; and (ii) by disclosing unsolicited types for a name.
- 10.
After all, what is the use of the secret if access to the secret is not controlled?
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Ramkumar, M. (2014). MLS for Internet Security Protocols. In: Symmetric Cryptographic Protocols. Springer, Cham. https://doi.org/10.1007/978-3-319-07584-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-07584-6_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07583-9
Online ISBN: 978-3-319-07584-6
eBook Packages: EngineeringEngineering (R0)