blank.gif (43 bytes)

Church Of The
Swimming Elephant

6.3 Chaining Through Zones Connected: An Internet Encyclopedia
6.3 Chaining Through Zones

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 2065
Up: 6. The AD and CD Bits and How to Resolve Securely
Prev: 6.2 Boot File Format
Next: 6.4 Secure Time

6.3 Chaining Through Zones

6.3 Chaining Through Zones

Starting with one or more trusted keys for a zone, it should be possible to retrieve signed keys for its subzones which have a key and, if the zone is not root, for its superzone. Every authoritative secure zone server MUST also include the KEY RR for a super-zone signed by the secure zone via a keyfile directive. This makes it possible to climb the tree of zones if one starts below root. A secure sub-zone is indicated by a KEY RR with non-null key information appearing with the NS RRs for the sub-zone. These make it possible to descend within the tree of zones.

A resolver should keep track of the number of successive secure zones traversed from a starting point to any secure zone it can reach. In general, the lower such a distance number is, the greater the confidence in the data. Data configured via a boot file directive should be given a distance number of zero. If a query encounters different data for the same query with different distance values, that with a larger value should be ignored.

A security conscious resolver should completely refuse to step from a secure zone into a non-secure zone unless the non-secure zone is certified to be non-secure, or only experimentally secure, by the presence of an authenticated KEY RR for the non-secure zone with the no-key type value or the presence of a KEY RR with the experimental bit set. Otherwise the resolver is getting bogus or spoofed data.

If legitimate non-secure zones are encountered in traversing the DNS tree, then no zone can be trusted as secure that can be reached only via information from such non-secure zones. Since the non-secure zone data could have been spoofed, the "secure" zone reach via it could be counterfeit. The "distance" to data in such zones or zones reached via such zones could be set to 512 or more as this exceeds the largest possible distance through secure zones in the DNS. Nevertheless, continuing to apply secure checks within "secure" zones reached via non-secure zones is a good practice and will, as a practical matter, provide some small increase in security.

Next: 6.4 Secure Time

Connected: An Internet Encyclopedia
6.3 Chaining Through Zones


Protect yourself from cyberstalkers, identity thieves, and those who would snoop on you.
Stop spam from invading your inbox without losing the mail you want. We give you more control over your e-mail than any other service.
Block popups, ads, and malicious scripts while you surf the net through our anonymous proxies.
Participate in Usenet, host your web files, easily send anonymous messages, and more, much more.
All private, all encrypted, all secure, all in an easy to use service, and all for only $5.95 a month!

Service Details

Have you gone to church today?
All pages ©1999, 2000, 2001, 2002, 2003 Church of the Swimming Elephant unless otherwise stated
Church of the Swimming Elephant©1999, 2000, 2001, 2002, 2003 is a wholly owned subsidiary of Packetderm, LLC.

Packetderm, LLC
210 Park Ave #308
Worcester, MA 01609