Domain name system security extensions (DNSSEC) for global server load balancing

US 9,338,182 B2
Filed: 07/31/2013
Issued: 05/10/2016
Est. Priority Date: 10/15/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a load balancer, a Domain Name System Security Extensions (DNSSEC) response from a DNS server that is located remotely from the load balancer over a network, the DNSSEC response including a list of IP addresses and an original security signature associated with the list of IP addresses;

reordering, by the load balancer, the list of IP addresses in the DNSSEC response based on one or more metrics, the reordering being performed while preserving the original security signature; and

transmitting, by the load balancer, the DNSSEC response with the reordered list of IP addresses and the original security signature to a client device that is located remotely from the load balancer over the network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided to enable a network device, such as a switch, to perform global server load balancing (GSLB) while operating as a proxy to a domain name system security extensions (DNSSEC)-capable authoritative DNS server. The network device preserves an original signature generated by the DNSSEC-capable authoritative DNS server for a resource record set contained in a DNSSEC reply.

Citations

20 Claims

1. A method comprising:
- receiving, by a load balancer, a Domain Name System Security Extensions (DNSSEC) response from a DNS server that is located remotely from the load balancer over a network, the DNSSEC response including a list of IP addresses and an original security signature associated with the list of IP addresses;
  
  reordering, by the load balancer, the list of IP addresses in the DNSSEC response based on one or more metrics, the reordering being performed while preserving the original security signature; and
  
  transmitting, by the load balancer, the DNSSEC response with the reordered list of IP addresses and the original security signature to a client device that is located remotely from the load balancer over the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 further comprising, prior to the reordering:
    - determining whether the DNSSEC response is a Type A response or a Type ANY response.
  - 3. The method of claim 2 wherein, if the DNSSEC response is not a Type A response or a Type ANY response, the load balancer transmits the DNSSEC response to the client device without performing the reordering.
  - 4. The method of claim 1 wherein the security signature is generated by the DNS server.
  - 5. The method of claim 1 further comprising, prior to the reordering:
    - parsing the DNSSEC response to identify the list of IP addresses and the security signature.
  - 6. The method of claim 1 further comprising, by the client device:
    - receiving the DNSSEC response with the reordered list of IP addresses and the unmodified security signature;
      
      placing the reordered list of IP addresses into a canonical order; and
      
      verifying the unmodified security signature based on the canonical order.
  - 7. The method of claim 1 wherein the list of IP addresses is contained within a resource record set of the DNSSEC response.
  - 8. The method of claim 7 wherein the security signature is contained within a resource record signature (RRSIG) record of the DNSSEC response.
  - 9. The method of claim 8 further comprising:
    - modifying, in the resource record set, a time-to-live (TTL) value for a first IP address in the list of IP addresses.
  - 10. The method of claim 9 wherein a copy of the TTL value for the first IP address is included in the RRSIG record, and wherein the modifying of the TTL value for the first IP address in the resource record set does not modify the copy of the TTL value in the RRSIG record.
  - 11. The method of claim 10 further comprising, by the client device:
    - receiving the DNSSEC response with the modified TTL value in the resource record set and the unmodified copy of the TTL value in the RRSIG record; and
      
      replacing, in the resource record set, the modified TTL value with the unmodified copy.
  - 12. The method of claim 1 wherein the load balancer is a network switch.

13. A system comprising:
- a processor; and
  
  a non-transitory computer readable medium having stored program code which, when executed by the processor, causes the processor to;
  
  receive a DNSSEC response from a DNS server that is located remotely from the load balancer over a network, the DNSSEC response including a list of IP addresses and an original security signature associated with the list of IP addresses;
  
  reorder the list of IP addresses in the DNSSEC response based on one or more metrics, the reordering being performed while preserving the original security signature; and
  
  transmit the DNSSEC response with the reordered list of IP addresses and the original security signature to a client device that is located remotely from the load balancer over the network.
- View Dependent Claims (14, 15)
- - 14. The system of claim 13 wherein the DNS server is configurable to generate the security signature included in the DNSSEC response.
  - 15. The system of claim 14 wherein the client is configurable to:
    - receive the DNSSEC response with the reordered list of IP addresses and the unmodified security signature;
      
      place the reordered list of IP addresses into a canonical order; and
      
      verify the unmodified security signature based on the canonical order.

16. A non-transitory computer readable storage medium having stored thereon program code executable by a load balancer, the program code comprising:
- code that causes the load balancer to receive a DNSSEC response from a DNS server that is located remotely from the load balancer over a network, the DNSSEC response including a list of IP addresses and an original security signature associated with the list of IP addresses;
  
  code that causes the load balancer to reorder the list of IP addresses in the DNSSEC response based on one or more metrics, the reordering being performed while preserving the original security signature; and
  
  code that causes the load balancer to transmit the DNSSEC response with the reordered list of IP addresses and the original security signature to a client device that is located remotely from the load balancer over the network.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer readable storage medium of claim 16 wherein the list of IP addresses is contained within a resource record set of the DNSSEC response.
  - 18. The non-transitory computer readable storage medium of claim 17 wherein the security signature is contained within a resource record signature (RRSIG) record of the DNSSEC response.
  - 19. The non-transitory computer readable storage medium of claim 18 wherein the program code further comprises:
    - code that causes the load balancer to modify, in the resource record set, a TTL value for a first IP address in the list of IP addresses.
  - 20. The non-transitory computer readable storage medium of claim 19 wherein a copy of the TTL value for the first IP address is included in the RRSIG record, and wherein the modifying of the TTL value for the first IP address in the resource record set does not modify the copy of the TTL value in the RRSIG record.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Brocade Communications Systems, Inc. (Broadcom, Inc.)
Inventors
Devarapalli, Sridhar J., Joshi, Prajakta S.
Primary Examiner(s)
Dalencourt, Yves

Application Number

US13/956,241
Publication Number

US 20130318602A1
Time in Patent Office

1,014 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 61/59   using proxies for addressing

H04L 63/0281   Proxies

H04L 63/1441   Countermeasures against mal...

H04L 67/1001   for accessing one among a p...

Domain name system security extensions (DNSSEC) for global server load balancing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Domain name system security extensions (DNSSEC) for global server load balancing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links