DNSSEC Inline Signing
First Claim
1. A method of performing DNSSEC signing at a registry comprising:
- receiving a domain command from a requester, the domain command including an identifier of a domain;
executing the received domain command with respect to data stored by the registry for the domain;
identifying DNSSEC data changes;
as part of an individual transaction including the execution of the domain command, sign DNSSEC records for the domain based on the identified DNSSEC data changes using a private key of an authoritative server;
committing the transaction at the registry; and
propagating the committed transaction to the DNS infrastructure.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods of performing incremental DNSSEC signing at a registry are described in which digital signature operations may be performed as part of a single transaction including DNS add, update, and/or delete operations and the like. Exemplary methods may include receiving a domain command from a requester, the domain command including an identifier of a domain. The received domain command may be executed with respect to data stored by the registry for the domain. As part of an individual transaction including the execution of the domain command, the registry may also sign DNSSEC records for the domain using a private key of an authoritative server. After the DNSSEC records have been signed, the registry may incrementally publish the signed DNSSEC records to a separate server. Exemplary methods may also include “took-aside” operations in which, for example, add, update, and/or delete operations may be executed on data stored in a registry database and reported to a requester, prior to applying digital-signatures to the DNSSEC data. After reporting that the instructions have been executed, the registry may generate a digital signature based on the add, update, and/or delete changes, and commit the digital signature to a registry resolution database.
51 Citations
23 Claims
-
1. A method of performing DNSSEC signing at a registry comprising:
-
receiving a domain command from a requester, the domain command including an identifier of a domain; executing the received domain command with respect to data stored by the registry for the domain; identifying DNSSEC data changes; as part of an individual transaction including the execution of the domain command, sign DNSSEC records for the domain based on the identified DNSSEC data changes using a private key of an authoritative server; committing the transaction at the registry; and propagating the committed transaction to the DNS infrastructure. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A DNSSEC signing system for a registry comprising:
-
a processor; and a storage device including computer readable code that, when executed by the processor, causes the signing server act as an authoritative server to; receive a first command from a requester to at least one of add, update, or delete a DNSSEC-related domain name supported by the registry; execute instructions from the first command to add, update, or delete data stored in a registry database; as part of an individual transaction including the execution of the instructions from the first command, generate a digital signature based on the add, update, or delete changes; commit the digital signature to a registry resolution database. - View Dependent Claims (13, 15, 16, 17)
-
-
14. The system of claim wherein the processor is configured to sign DNS records for at least two domains from a plurality of registrars.
-
18. A DNSSEC signing system for a registry comprising:
-
a processor; and a storage device including computer readable code that, when executed by the processor, causes the signing server act as an authoritative server to; receive a first command from a requester to at least one of add, update, or delete a DNSSEC-related domain name to, in, or from the registry; execute instructions from the first command to add, update, and/or delete data stored in a registry database, wherein the execution does not include applying digital-signature data; report to the requester that the instructions have been executed; generate a digital signature based on the add, update, and/or delete changes; and commit the digital signature to a registry resolution database. - View Dependent Claims (19, 20)
-
-
21. A DNSSEC signing system for a registry comprising:
-
a processor; and a storage device including computer readable code that, when executed by the processor, causes the signing server act as an authoritative server to; receive a first command from a requester to at least one of add, update, or delete a DNSSEC-related domain name to, in, or from the registry; execute instructions from the first command to add, update, and/or delete data stored in a registry database, wherein the execution does not include applying digital-signature data; generate a database entry indicating pending DNSSEC changes related to the first command; generate a digital signature based on the add, update, and/or delete changes; and clear the database entry. - View Dependent Claims (22, 23)
-
Specification