What technology area does this patent fall under?

Primary CPC classification H04L63/0442. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Jan 10 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

Using domain name system security extensions in a mixed-mode environment

US9544278B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9544278-B2
Application number	US-201514591121-A
Country	US
Kind code	B2
Filing date	Jan 7, 2015
Priority date	Jan 7, 2015
Publication date	Jan 10, 2017
Grant date	Jan 10, 2017

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A method relates to generating, by a processing device executing a DNS resolver, a first domain name system (DNS) query comprising a DNS request generated from an application executing on the processing device to query a first DNS server serving a first DNS zone connected to the processing device via a public network, receiving, from the first DNS server, a first resource record comprising a DNS answer to the DNS query, a second resource record comprising a digital signature generated by signing the DNS answer with a first private key of the first DNS zone, a third resource record comprising a first public key for verifying the digital signature, and one or more files for validating a chain of trust of the first public key, determining, by the processing device in view of the one or more files, that the chain of trust of the first public key misses at least one of a trust anchor or a link in the chain of trust, and generating a second DNS query comprising the DNS request to query a second DNS server residing in a private network of the processing device.

First claim

Opening claim text (preview).

What is claimed is: 1. A method comprising: transmitting, by a processing device executing a domain name system (DNS) resolver, a first DNS query comprising a DNS request associated with an application to a first DNS server serving a first DNS zone connected to the processing device via a public network; receiving, from the first DNS server, a first resource record comprising a DNS answer to the DNS query, a second resource record comprising a digital signature generated by signing the DNS answer with a first private key of the first DNS zone, a third resource record comprising a first public key to verify the digital signature, and one or more files to validate a chain of trust of the first public key, wherein the one or more files comprise a first file comprising a name of a second DNS server delegated by the first DNS server serving a second DNS zone; determining, by the processing device in view of the one or more files, that the chain of trust of the first public key misses at least one of a trust anchor or a link in the chain of trust; and transmitting, by the DNS resolver, a second DNS query comprising the DNS request to a second DNS server residing in a private network of the processing device. 2. The method of claim 1 , wherein the first DNS server and the DNS resolver are enabled with domain name system security extensions (DNSSEC), and the second DNS server is not enabled with the DNSSEC. 3. The method of claim 1 , further comprising: in response to determining that the chain of trust of the first public key misses at least one of a trust anchor or a link in the chain of trust, disabling DNSSEC capability of the DNS resolver; and returning a result from the second DNS server to the application. 4. The method of claim 1 , wherein the one or more files further comprise a second file comprising a second public key. 5. The method of claim 4 , wherein the third resource record comprises the first public key is signed with a second private key, and wherein the second public key is capable of verifying the signed third resource record. 6. The method of claim 4 , wherein determining that the chain of trust of the first public key misses the link comprises determining that the second file is missing. 7. The method of claim 4 , wherein the trust anchor is a starting point of the chain of trust, and the trust anchor is obtained from a root DNS zone in a DNS hierarchy comprising the first and second DNS zones. 8. The method of claim 4 , wherein the first private key and the first public key form a zone signing key pair for the first zone, and a second private key and the second public form a key signing key pair. 9. A non-transitory machine-readable storage medium storing instructions which, when executed, cause a processing device to: transmit, by the processing device executing a domain name system (DNS) resolver, a first DNS query comprising a DNS request associated with an application to a first DNS server serving a first DNS zone connected to the processing device via a public network; receive, from the first DNS server, a first resource record comprising a DNS answer to the DNS query, a second resource record comprising a digital signature generated by signing the DNS answer with a first private key of the first DNS zone, a third resource record comprising a first public key to verify the digital signature, and one or more files to validate a chain of trust of the first public key, wherein the one or more files comprise a first file comprising a name of a second DNS server delegated by the first DNS server serving a second DNS zone; determine, by the processing device in view of the one or more files, that the chain of trust of the first public key misses at least one of a trust anchor or a link in the chain of trust; and transmit, by the DNS resolver, a second DNS query comprising the DNS request to a second DNS server residing in a private network of the processing device. 10. The machine-readable storage medium of claim 9 , wherein the first DNS server and the DNS resolver are enabled with domain name system security extensions (DNSSEC), and the second DNS server is not enabled with the DNSSEC. 11. The machine-readable storage medium of claim 9 , wherein the processing device is further to: in response to determining that the chain of trust of the first public key misses at least one of a trust anchor or a link in the chain of trust, disable DNSSEC capability of the DNS resolver; and return a result from the second DNS server to the application. 12. The machine-readable storage medium of claim 9 , wherein the one or more files further comprise a second file comprising a second public key. 13. The machine-readable storage medium of claim 12 , wherein the third resource record comprises the first public key is signed with a second private key, and wherein the second public key is capable of verifying the signed third resource record. 14. The machine-readable storage medium of claim 12 , wherein determining that the chain of trust of the first public key misses the link comprises determining that the second file is missing. 15. The machine-readable storage medium of claim 9 , wherein the trust anchor is a starting point of the chain of trust, and the trust anchor is obtained from a root DNS zone in a DNS hierarchy comprising the first and second DNS zones. 16. A system, comprising: a memory; and a processing device, communicatively coupled to the memory, to execute a domain name system (DNS) resolver to: transmit a first DNS query comprising a DNS request associated with an application to a first DNS server serving a first DNS zone; receive, from the first DNS server, a first resource record comprising a DNS answer to the DNS query, a second resource record comprising a digital signature generated by signing the DNS answer with a first private key of the first DNS zone, a third resource record comprising a first public key to verify the digital signature, and one or more files to validate a chain of trust of the first public key, wherein the one or more files comprise a first file comprising a name of a second DNS server delegated by the first DNS server serving a second DNS zone; determine, in view of the one or more files, that the chain of trust of the first public key misses at least one of a trust anchor or a link in the chain of trust; and transmit a second DNS query comprising the DNS request to a second DNS server residing in a private network of the processing device. 17. The system of claim 16 , wherein the first DNS server and the DNS resolver are enabled with domain name system security extensions (DNSSEC), and the second DNS server is not enabled with the DNSSEC. 18. The system of claim 16 , wherein the one or more files further comprise a second file comprising a second public key. 19. The system of claim 18 , wherein the third resource record comprises the first public key is signed with a second private key, and wherein the second public key is capable of verifying the signed third resource record. 20. The system of claim 18 , wherein to determine that the chain of trust of the first public key misses the link, the processing device is to determine that the second file is missing.

Assignees

Red Hat Inc

Inventors

Classifications

H04L63/00
Network architectures or network communication protocols for network security (cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00; network architectures or network communication protocols for wireless network security H04W12/00; security arrangements for protecting computers or computer systems against unauthorised activity G06F21/00) · CPC title
H04L63/0442Primary
wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption (cryptographic mechanisms or cryptographic arrangements for public-key encryption H04L9/30) · CPC title
H04L63/126
the source of the received data · CPC title
H04L63/1466
Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks · CPC title
H04L61/1511
Electricity · mapped topic

Patent family

Related publications grouped by family.

View patent family 56287126

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9544278B2 cover?: A method relates to generating, by a processing device executing a DNS resolver, a first domain name system (DNS) query comprising a DNS request generated from an application executing on the processing device to query a first DNS server serving a first DNS zone connected to the processing device via a public network, receiving, from the first DNS server, a first resource record comprising a DN…
Who is the assignee on this patent?: Red Hat Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/0442. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Jan 10 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).