Using Domain Name System Security Extensions In A Mixed-Mode Environment

摘要

A method relates to generating, by a processing device executing a DNS resolver, a first domain name system (DNS) query comprising a DNS request generated from an application executing on the processing device to query a first DNS server serving a first DNS zone connected to the processing device via a public network, receiving, from the first DNS server, a first resource record comprising a DNS answer to the DNS query, a second resource record comprising a digital signature generated by signing the DNS answer with a first private key of the first DNS zone, a third resource record comprising a first public key for verifying the digital signature, and one or more files for validating a chain of trust of the first public key, determining, by the processing device in view of the one or more files, that the chain of trust of the first public key misses at least one of a trust anchor or a link in the chain of trust, and generating a second DNS query comprising the DNS request to query a second DNS server residing in a private network of the processing device.

主权项

1. A method comprising:
generating, by a processing device executing a DNS resolver, a first domain name system (DNS) query comprising a DNS request generated from an application executing on the processing device to query a first DNS server serving a first DNS zone connected to the processing device via a public network; receiving, from the first DNS server, a first resource record comprising a DNS answer to the DNS query, a second resource record comprising a digital signature generated by signing the DNS answer with a first private key of the first DNS zone, a third resource record comprising a first public key for verifying the digital signature, and one or more files for validating a chain of trust of the first public key; determining, by the processing device in view of the one or more files, that the chain of trust of the first public key misses at least one of a trust anchor or a link in the chain of trust; and generating a second DNS query comprising the DNS request to query a second DNS server residing in a private network of the processing device.