RFC 2845 - Secret Key Transaction Authentication for DNS (TSIG)
This protocol allows for transaction level authentication using shared
secrets and one way hashing. It can be used to authenticate dynamic
updates as coming from an approved client, or to authenticate
responses as coming from an approved recursive name server.
or
RFC 3645 - Generic Security Service Algorithm for Secret Key
Transaction Authentication for DNS (GSS-TSIG)
The Secret Key Transaction Authentication for DNS (TSIG) protocol
provides transaction level authentication for DNS. TSIG is extensible
through the definition of new algorithms. This document specifies an
algorithm based on the Generic Security Service Application Program
Interface (GSS-API) (RFC2743). This document updates RFC 2845.
On 2009Apr23, at 6:32 AM, 马迪 wrote:
Hi, folks.
As we all know, DNSSEC provides origin authentication and integrity
assurance services for DNS data exchanged between DNS resolver and
name-sever, while DNSSEC fails to give a means by which the DNS
queries or responses transmitted between a host and a recursive
server could be guaranteed integrity and authentication. For
example, a malicious attacker might hijack the DNS query form a host
and fake a response which will help he commit phishing. So I wonder,
is there someone having a certain solution, more exactly a software
implementation on host, to protect against such attack?
2009-04-23
m...@cnnic.cn
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
