Systems and methods for pre-signing of DNSSEC enabled zones into record sets

US 9,961,110 B2
Filed: 11/27/2013
Issued: 05/01/2018
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method of conducting domain name system (DNS) operations, comprising:

accessing, by a processor of a DNS device, a set of policies for operation of a DNS, wherein the DNS uses domain name system with security extensions (DNSSEC), and the DNS device supports a zone of a DNS network;

generating, by the processor, a set of answers to a plurality of questions associated with a set of domain names of the zone, wherein, based on the set of policies, a first question of the plurality of questions corresponds to a plurality of answers in the set of answers;

generating a set of signed answers from the set of answers and a set of key data;

storing the set of signed answers as records in a zone file;

receiving via the DNS network, a question from a resolver;

retrieving a signed answer from the stored set of signed answers based on the question received from the resolver and the set of policies, andtransmitting via the DNS network, the signed answer to the resolver,wherein the records in the zone file comprise a plurality of records storing the plurality of answers corresponding to the first question, each of the plurality of records storing a respective one of the plurality of answers.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Implementations relate to systems and methods for pre-signing of DNSSEC enabled zones into record sets. A domain name system (DNS) can receive and/or impose a set of DNS policies desired by an administrator, or the DNS operator itself to govern domain name resolution with security extensions (DNSSEC) for a Web domain. The DNS can generate a set of answers to user questions directed to the domain based on the set of policies. Those answers which differ or vary based on policy rules can be stored as variant answers, and can be labeled with a variant ID. The variant answers can be pre-signed and stored in the DNS. Because key data and other information is generated and stored before a DNS request is received, the requested variant answer can be returned with greater responsiveness and security.

Citations

24 Claims

1. A method of conducting domain name system (DNS) operations, comprising:
- accessing, by a processor of a DNS device, a set of policies for operation of a DNS, wherein the DNS uses domain name system with security extensions (DNSSEC), and the DNS device supports a zone of a DNS network;
  
  generating, by the processor, a set of answers to a plurality of questions associated with a set of domain names of the zone, wherein, based on the set of policies, a first question of the plurality of questions corresponds to a plurality of answers in the set of answers;
  
  generating a set of signed answers from the set of answers and a set of key data;
  
  storing the set of signed answers as records in a zone file;
  
  receiving via the DNS network, a question from a resolver;
  
  retrieving a signed answer from the stored set of signed answers based on the question received from the resolver and the set of policies, andtransmitting via the DNS network, the signed answer to the resolver,wherein the records in the zone file comprise a plurality of records storing the plurality of answers corresponding to the first question, each of the plurality of records storing a respective one of the plurality of answers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 21, 23)
- - 2. The method of claim 1, wherein accessing the set of policies comprises receiving the set of policies from a user associated with the set of domain names.
  - 3. The method of claim 1, wherein accessing the set of policies comprises applying policies generated by the DNS.
  - 4. The method of claim 1, wherein accessing the set of policies comprises installing a set of default policies.
  - 5. The method of claim 1, wherein generating a set of signed answers comprises generating the set of signed answers using a set of public and private keys stored in the key data.
  - 6. The method of claim 1, wherein the set of policies comprises at least one of the following:
    - a policy based on geo-location data,a policy based on load balancing data,a policy based on time of day information,a policy based on authorization levels, anda policy based on traffic management rules.
  - 7. The method of claim 1, wherein generating a set of answers comprises generating a set of answers based on an Internet protocol (IP) address associated with the resolver and the set of policies.
  - 8. The method of claim 1, wherein the set of answers comprises at least one of the following:
    - a set of Internet protocol (IP) data associated with the set of domain names,ownership information associated with the set of domain names,class information associated with the set of domain names,inception information associated with the set of domain names, andexpiration information associated with the set of domain names.
  - 9. The method of claim 1, further comprising updating the set of policies.
  - 10. The method of claim 9, further comprising updating the set of answers based on the updated set of policies.
  - 21. The method of claim 1, wherein:
    - the set of answers comprises variant answers and non-variant answers;
      
      the variant answers vary based on the set of policies;
      
      the non-variant answers do not vary;
      
      pluralities of the variant answers correspond to respective questions of the plurality of questions;
      
      each of the pluralities of the variant answers comprise all possible answers to the respective questions of the plurality questions given the set of policies and associated domain name records of the set of domain names;
      
      the variant answers are indexed with respective variant IDs; and
      
      the plurality of answers corresponding to the first question of the plurality of questions comprise one of the pluralities of the variant answers.
  - 23. The system of claim 21, wherein the set of policies comprises at least one of the following:
    - a policy based on geo-location data,a policy based on time of day information, anda policy based on authorization levels.

11. A system, comprising:
- a network interface coupled with a resolver that transmits a question associated with a set of domain names for a zone, the domain name operating under a domain name system with security extensions (DNSSEC);
  
  a domain name system (DNS) device supporting a set of zones of a DNS network, the DNS device comprising a processor and a memory device storing a set of instructions that, when executed by the processor, controls the DNS device to perform operations comprising;
  
  communicating with the resolver via the network interface, the instructions comprising;
  
  accessing a set of policies for operation of the domain name system (DNS);
  
  generating a set of answers to a plurality of questions associated with the set of zones of a domain name, wherein based on the set of policies, a first question of the plurality of questions corresponds to a plurality of answers in the set of answers;
  
  generating a set of signed answers from the set of answers and a set of key data;
  
  storing the set of signed answers as records in a zone file;
  
  receiving, via the DNS network, the question from the resolver;
  
  retrieving a signed answer from the stored set of signed answers based on the question and the set of policies; and
  
  transmitting, via the DNS network, the signed answer to the resolver,wherein the records in the zone file comprise a plurality of records storing the plurality of answers corresponding to the first question, each of the plurality of records storing a respective one of the plurality of answers.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 22, 24)
- - 12. The system of claim 11, wherein accessing the set of policies comprises receiving a set of policies from a user associated with the domain name.
  - 13. The system of claim 11, wherein accessing the set of policies comprises applying policies generated by the DNS.
  - 14. The system of claim 11, wherein accessing the set of policies comprises installing a set of default policies.
  - 15. The system of claim 11, wherein generating a set of signed answers comprises generating the set of signed answers using a set of public and private keys stored in the key data.
  - 16. The system of claim 11, wherein the set of policies comprises at least one of the following:
    - a policy based on geo-location data,a policy based on load balancing data,a policy based on time of day information,a policy based on authorization levels, anda policy based on traffic management rules.
  - 17. The system of claim 11, wherein generating a set of answers comprises generating a set of answers based on an Internet protocol (IP) address associated with the resolver and the set of policies.
  - 18. The system of claim 11, wherein the set of answers comprises at least one of the following:
    - a set of Internet protocol (IP) data associated with the set of domain names,ownership information associated with the set of domain names,class information associated with the set of domain names,inception information associated with the set of domain names, andexpiration information associated with the set of domain names.
  - 19. The system of claim 11, wherein the processor is further configured to update the set of policies.
  - 20. The system of claim 19, wherein the processor is further configured to update the set of answers based on the updated set of policies.
  - 22. The system of claim 11, wherein:
    - the set of answers comprises variant answers and non-variant answers;
      
      the variant answers vary based on the set of policies;
      
      the non-variant answers do not vary;
      
      pluralities of the variant answers correspond to respective questions of the plurality of questions;
      
      each of the pluralities of the variant answers comprise all possible answers to the respective questions of the plurality questions given the set of policies and associated domain name records of the set of domain names;
      
      the variant answers are indexed with respective variant IDs; and
      
      the plurality of answers corresponding to the first question of the plurality of questions comprise one of the pluralities of the variant answers.
  - 24. The system of claim 22, wherein the set of policies comprises at least one of the following:
    - a policy based on geo-location data,a policy based on time of day information, anda policy based on authorization levels.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Blacka, David, Pandrangi, Ramakant
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Le, Canh

Application Number

US14/092,528
Publication Number

US 20140282847A1
Time in Patent Office

1,616 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

Systems and methods for pre-signing of DNSSEC enabled zones into record sets

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for pre-signing of DNSSEC enabled zones into record sets

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links