MLS for Internet Security Protocols

Ramkumar, Mahalingam

doi:10.1007/978-3-319-07584-6_4

Mahalingam Ramkumar²

555 Accesses

Abstract

The domain name system is a tree-hierarchical naming system for services that can be accessed over the Internet. At the top of the inverted DNS tree (see Fig. 4.1) is the root. Below the root are generic top level domains (gTLD) like com, org, net, edu, etc., and country-code top level domains (ccTLD) like br, ca, etc. A leaf named b.cs.univ.edu in the DNS tree is a server-host in a branch cs.univ.edu, which stems from a thicker branch univ.edu, which stems from an even thicker branch .edu, stemming from the root of the DNS tree.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 84.99; Price excludes VAT (USA)

Hardcover Book: USD 109.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
Note that zone univ.edu (or even edu) cannot be authoritative for the zone dserv.net. Thus, while univ.edu can provide an authoritative response regarding the name of the ANS for the child zone cs.univ.edu, it cannot provide an authoritative A-type record for the server ns1.dserv.net. To avoid possible circular dependency problems, the necessary nonauthoritative A-type records are included as glue records.
2.
Typically, IP addresses of LDNSs are provided to a host by a DHCP server. In UNIX-like machines the IP addresses of LDNS are stored in a file/etc/resolv.conf.
3.
Typically chosen by the operating system.
4.
Or, more generally, can exert some form of control over a computer in the same LAN as the server or the resolver.
5.
If the next-hop is a LDNS, when an invalid response is received, the LDNS will send the query again or query another ANS. Similarly if the next-hop is a stub-resolver C, then C will resend the query or query another LDNS.
6.
The value W is obtained from the NS type RRSet for the parent zone W, which was obtained by querying W’s parent—the root.
7.
Just as there is nothing that stops an authority of example.com from signing an RRSet for www.yahoo.com in DNSSEC, in TCB-DNS a zone authority can authenticate any value. However, resolvers will not accept RRSet as valid as \(Z_{name} = h(\mbox{\tt example.com})\) is not a parent of www.yahoo.com .
8.
The TTL value specifies how long an RR can be cached by resolvers.
9.
Thus, there are two ways in which NSEC3 fails to realize assurance A3: (i) by being susceptible to simple dictionary attacks; and (ii) by disclosing unsolicited types for a name.
10.
After all, what is the use of the secret if access to the secret is not controlled?

Author information

Authors and Affiliations

Mississippi State University, Mississippi State, Mississippi, USA
Mahalingam Ramkumar

Authors

Mahalingam Ramkumar
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mahalingam Ramkumar .

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Ramkumar, M. (2014). MLS for Internet Security Protocols. In: Symmetric Cryptographic Protocols. Springer, Cham. https://doi.org/10.1007/978-3-319-07584-6_4

Download citation

DOI: https://doi.org/10.1007/978-3-319-07584-6_4
Published: 06 August 2014
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07583-9
Online ISBN: 978-3-319-07584-6
eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics