Secret Key Transaction Authentication for DNS (TSIG)

Vixie, Paul; Gudmundsson, O.; Eastlake, D.; Wellington, B.

doi:10.17487/rfc2845

Cited by 68 publications

(41 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…On top of that, we defined some new resource records such as HID and PK to store the host ID and public key, respectively. The DNR records are created by DNS UPDATE [9] using a TSIG (transactional signature) [10] for protecting the message integrity. Both the DNR and HNR queries (and responses) issued (and received) by the LNS are structured in formats similar to a DNSSEC query (and response).…”

Section: Methodsmentioning

confidence: 99%

Design and Implementation of Security for HIMALIS Architecture of Future Networks

Kafle

Inoue

et al. 2013

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYFor flexibility in supporting mobility and multihoming in edge networks and scalability of the backbone routing system, future Internet is expected to be based on the concept of ID/locator split. Heterogeneity Inclusion and Mobility Adaptation through Locator ID Separation (HIMALIS) has been designed as a generic future network architecture based on ID/locator split concept. It can natively support mobility, multihoming, scalable backbone routing and heterogeneous protocols in the network layer of the new generation network or future Internet. However, HIMALIS still lacks security functions to protect itself from various attacks during the procedures of storing, updating, and retrieving of ID/locator mappings, such as impersonation attacks. Therefore, in this paper, we address the issues of security functions design and implementation for the HIMALIS architecture. We present an integrated security scheme consisting of mapping registration and retrieval security, network access security, communication session security, and mobility security. Through the proposed scheme, the hostname to ID and locator mapping records can be securely stored and updated in two types of name registries, domain name registry and host name registry. Meanwhile, the mapping records retrieved securely from these registries are utilized for securing the network access process, communication sessions, and mobility management functions. The proposed scheme provides comprehensive protection of both control and data packets as well as the network infrastructure through an effective combination of asymmetric and symmetric cryptographic functions. key words: ID/locator split architecture, security, new generation network, future network

show abstract

Section: Methodsmentioning

confidence: 99%

Design and Implementation of Security for HIMALIS Architecture of Future Networks

Kafle

Inoue

et al. 2013

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

show abstract

“…If the Mobile Node can detect that the certificate is not trustworthy, the attack will be foiled when the Mobile Node attempts to set up the IKE SA. Explicit security measures between the DNS server and host, such as DNSSEC [19] or TSIG/TKEY [20] [21], can mitigate the risk of 1) and 2), but these security measures are not widely deployed on end nodes. These security measures are not sufficient to protect the Home Agent address against DoS attack, however, because a node having a legitimate security association with the DNS server could nevertheless intentionally or inadvertently cause the Home Agent address to become the target of DoS.…”

Section: Mn Identitymentioning

confidence: 99%

Mobile IPv6 Bootstrapping in Split Scenario

Giaretta¹,

Kempf²,

Devarapalli³

2007

View full text Add to dashboard Cite

“…If one of these RCODEs is returned, the updater MUST terminate its update attempt. Other RCODEs [13] may indicate that there are problems with the key being used and may mean to try a different key, if available, or to terminate the operation. Because some errors may indicate a misconfiguration of the updater or the DNS server, the updater MAY attempt to signal to its administrator that an error has occurred, e.g., through a log message.…”

Section: Error Return Codesmentioning

confidence: 99%

“…Both DHCP clients and servers SHOULD use some form of update request authentication (e.g., TSIG [13]) when performing DNS updates.…”

Section: Security Considerationsmentioning

confidence: 99%

Resolution of Fully Qualified Domain Name (FQDN) Conflicts among Dynamic Host Configuration Protocol (DHCP) Clients

Stapp¹,

Volz²

2006

View full text Add to dashboard Cite

Secret Key Transaction Authentication for DNS (TSIG)

Cited by 68 publications

References 0 publications

Design and Implementation of Security for HIMALIS Architecture of Future Networks

Design and Implementation of Security for HIMALIS Architecture of Future Networks

Mobile IPv6 Bootstrapping in Split Scenario

Resolution of Fully Qualified Domain Name (FQDN) Conflicts among Dynamic Host Configuration Protocol (DHCP) Clients

Contact Info

Product

Resources

About