DNSSEC Inline Signing

US 20120278626A1
Filed: 04/29/2011
Published: 11/01/2012
Est. Priority Date: 04/29/2011
Status: Active Grant

First Claim

Patent Images

1. A method of performing DNSSEC signing at a registry comprising:

receiving a domain command from a requester, the domain command including an identifier of a domain;

executing the received domain command with respect to data stored by the registry for the domain;

identifying DNSSEC data changes;

as part of an individual transaction including the execution of the domain command, sign DNSSEC records for the domain based on the identified DNSSEC data changes using a private key of an authoritative server;

committing the transaction at the registry; and

propagating the committed transaction to the DNS infrastructure.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods of performing incremental DNSSEC signing at a registry are described in which digital signature operations may be performed as part of a single transaction including DNS add, update, and/or delete operations and the like. Exemplary methods may include receiving a domain command from a requester, the domain command including an identifier of a domain. The received domain command may be executed with respect to data stored by the registry for the domain. As part of an individual transaction including the execution of the domain command, the registry may also sign DNSSEC records for the domain using a private key of an authoritative server. After the DNSSEC records have been signed, the registry may incrementally publish the signed DNSSEC records to a separate server. Exemplary methods may also include “took-aside” operations in which, for example, add, update, and/or delete operations may be executed on data stored in a registry database and reported to a requester, prior to applying digital-signatures to the DNSSEC data. After reporting that the instructions have been executed, the registry may generate a digital signature based on the add, update, and/or delete changes, and commit the digital signature to a registry resolution database.

51 Citations

View as Search Results

23 Claims

1. A method of performing DNSSEC signing at a registry comprising:
- receiving a domain command from a requester, the domain command including an identifier of a domain;
  
  executing the received domain command with respect to data stored by the registry for the domain;
  
  identifying DNSSEC data changes;
  
  as part of an individual transaction including the execution of the domain command, sign DNSSEC records for the domain based on the identified DNSSEC data changes using a private key of an authoritative server;
  
  committing the transaction at the registry; and
  
  propagating the committed transaction to the DNS infrastructure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the domain command includes one or more DNSSEC Delegation Signer (DS) elements.
  - 3. The method of claim 1, wherein the domain command includes one or more DNSKEY elements that generates one or more associated DNSSEC Delegation Signer (DS) records.
  - 4. The method of claim 1, further comprising incrementally publishing the signed DNSSEC records to a separate server.
  - 5. The method of claim 4, wherein the signed DNSSEC records are incrementally published to a plurality of separate DNS servers.
  - 6. The method of claim 1, wherein the domain is at least a second level domain under a Top Level Domain of the registry.
  - 7. The method of claim 1, wherein the method is performed for domains from a plurality of registrars by an authoritative server of the registry.
  - 8. The method of claim 1, wherein the signing of DNS records is performed for at least two domains from a plurality of registrars by an authoritative server of the registry.
  - 9. The method of claim 1, wherein the signing of DNS records is performed by a plurality of signing servers for the registry.
  - 10. The method of claim 1, wherein the domain command is at least one of an add, an update, and a delete command for the domain.
  - 11. The method of claim 1, further comprising committing changes to NSEC or NSEC3 chains based on the at least one of add, update, and delete command.

12. A DNSSEC signing system for a registry comprising:
- a processor; and
  
  a storage device including computer readable code that, when executed by the processor, causes the signing server act as an authoritative server to;
  
  receive a first command from a requester to at least one of add, update, or delete a DNSSEC-related domain name supported by the registry;
  
  execute instructions from the first command to add, update, or delete data stored in a registry database;
  
  as part of an individual transaction including the execution of the instructions from the first command, generate a digital signature based on the add, update, or delete changes;
  
  commit the digital signature to a registry resolution database.
- View Dependent Claims (13, 15, 16, 17)
- - 13. The system of claim 12, wherein the domain is at least a second level domain under a Top Level Domain of the registry.
  - 15. The system of claim 12, wherein the processor is further configured to incrementally publish the signed DNSSEC records to a plurality of separate DNS servers,
  - 16. The system of claim 12, further comprising a plurality of signing servers configured to sign DNS records for the registry.
  - 17. The system of claim 12, wherein the processor is further configured to commit changes to NSEC or NSEC3 chains based on the at least one of add, update, and delete command.

14. The system of claim wherein the processor is configured to sign DNS records for at least two domains from a plurality of registrars.

18. A DNSSEC signing system for a registry comprising:
- a processor; and
  
  a storage device including computer readable code that, when executed by the processor, causes the signing server act as an authoritative server to;
  
  receive a first command from a requester to at least one of add, update, or delete a DNSSEC-related domain name to, in, or from the registry;
  
  execute instructions from the first command to add, update, and/or delete data stored in a registry database, wherein the execution does not include applying digital-signature data;
  
  report to the requester that the instructions have been executed;
  
  generate a digital signature based on the add, update, and/or delete changes; and
  
  commit the digital signature to a registry resolution database.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein non-DNSSEC changes and DNSSEC changes are published by the system asynchronously to the DNS.
  - 20. The system of claim 19, wherein the processor is further configured to commit changes to NSEC or NSEC3 chains based on the add, update, and/or delete changes.

21. A DNSSEC signing system for a registry comprising:
- a processor; and
  
  a storage device including computer readable code that, when executed by the processor, causes the signing server act as an authoritative server to;
  
  receive a first command from a requester to at least one of add, update, or delete a DNSSEC-related domain name to, in, or from the registry;
  
  execute instructions from the first command to add, update, and/or delete data stored in a registry database, wherein the execution does not include applying digital-signature data;
  
  generate a database entry indicating pending DNSSEC changes related to the first command;
  
  generate a digital signature based on the add, update, and/or delete changes; and
  
  clear the database entry.
- View Dependent Claims (22, 23)
- - 22. The system of claim 21, wherein the processor is further configured to publish the database entry to the DNS.
  - 23. The system of claim 21, wherein the processor is further configured to commit changes to NSEC or NSEC3 chains based on the add, update, and/or delete changes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Smith, David, Gould, James, Essawi, Tarik, Blacka, David, Veeramachani, Srikanth

Granted Patent

US 8,645,700 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

H04L 61/4511 using domain name system [DNS]

H04L 63/123 received data contents, e.g...

DNSSEC Inline Signing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

51 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

DNSSEC Inline Signing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others