Systems and methods for pre-signing of DNSSEC enabled zones into record sets
First Claim
1. A method of conducting domain name system (DNS) operations, comprising:
- accessing, by a processor of a DNS device, a set of policies for operation of a DNS, wherein the DNS uses domain name system with security extensions (DNSSEC), and the DNS device supports a zone of a DNS network;
generating, by the processor, a set of answers to a plurality of questions associated with a set of domain names of the zone, wherein, based on the set of policies, a first question of the plurality of questions corresponds to a plurality of answers in the set of answers;
generating a set of signed answers from the set of answers and a set of key data;
storing the set of signed answers as records in a zone file;
receiving via the DNS network, a question from a resolver;
retrieving a signed answer from the stored set of signed answers based on the question received from the resolver and the set of policies, andtransmitting via the DNS network, the signed answer to the resolver,wherein the records in the zone file comprise a plurality of records storing the plurality of answers corresponding to the first question, each of the plurality of records storing a respective one of the plurality of answers.
1 Assignment
0 Petitions
Accused Products
Abstract
Implementations relate to systems and methods for pre-signing of DNSSEC enabled zones into record sets. A domain name system (DNS) can receive and/or impose a set of DNS policies desired by an administrator, or the DNS operator itself to govern domain name resolution with security extensions (DNSSEC) for a Web domain. The DNS can generate a set of answers to user questions directed to the domain based on the set of policies. Those answers which differ or vary based on policy rules can be stored as variant answers, and can be labeled with a variant ID. The variant answers can be pre-signed and stored in the DNS. Because key data and other information is generated and stored before a DNS request is received, the requested variant answer can be returned with greater responsiveness and security.
-
Citations
24 Claims
-
1. A method of conducting domain name system (DNS) operations, comprising:
-
accessing, by a processor of a DNS device, a set of policies for operation of a DNS, wherein the DNS uses domain name system with security extensions (DNSSEC), and the DNS device supports a zone of a DNS network; generating, by the processor, a set of answers to a plurality of questions associated with a set of domain names of the zone, wherein, based on the set of policies, a first question of the plurality of questions corresponds to a plurality of answers in the set of answers; generating a set of signed answers from the set of answers and a set of key data; storing the set of signed answers as records in a zone file; receiving via the DNS network, a question from a resolver; retrieving a signed answer from the stored set of signed answers based on the question received from the resolver and the set of policies, and transmitting via the DNS network, the signed answer to the resolver, wherein the records in the zone file comprise a plurality of records storing the plurality of answers corresponding to the first question, each of the plurality of records storing a respective one of the plurality of answers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 21, 23)
-
-
11. A system, comprising:
-
a network interface coupled with a resolver that transmits a question associated with a set of domain names for a zone, the domain name operating under a domain name system with security extensions (DNSSEC); a domain name system (DNS) device supporting a set of zones of a DNS network, the DNS device comprising a processor and a memory device storing a set of instructions that, when executed by the processor, controls the DNS device to perform operations comprising; communicating with the resolver via the network interface, the instructions comprising; accessing a set of policies for operation of the domain name system (DNS); generating a set of answers to a plurality of questions associated with the set of zones of a domain name, wherein based on the set of policies, a first question of the plurality of questions corresponds to a plurality of answers in the set of answers; generating a set of signed answers from the set of answers and a set of key data; storing the set of signed answers as records in a zone file; receiving, via the DNS network, the question from the resolver; retrieving a signed answer from the stored set of signed answers based on the question and the set of policies; and transmitting, via the DNS network, the signed answer to the resolver, wherein the records in the zone file comprise a plurality of records storing the plurality of answers corresponding to the first question, each of the plurality of records storing a respective one of the plurality of answers. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 22, 24)
-
Specification