| 摘要 |
<p num="1"><br/><br/> The process of signing and then publishing a DNS zone according to the IETF<br/>DNSSEC protocols is improved by the present invention, in order to facilitate <br/>the<br/>DNSSEC deployment until most of the DNS zones are signed. The prior art <br/>situation is<br/>that a second-level domain, e.g. example.com, often faces an unwanted status <br/>of<br/>"DNSSEC island of security," and a challenging task of "trust anchor key" out-<br/>of-band<br/>distribution. The invention somehow fixes such broken DNSSEC chains of trust, <br/>e.g. it<br/>fills the gap between a DNSSEC island of security and its signed grandparent <br/>or<br/>ancestor. The invention is deemed useful for the introduction of DNS root <br/>nameservice<br/>substitution for DNSSEC support purposes, and allows opt-in while NSEC3 opt-<br/>out is<br/>awaiting deployment in large TLDs.<br/></p> |
