USRE47019EActiveUtilityPatentIndex 82
Methods for DNSSEC proxying and deployment amelioration and systems thereof
Est. expiryJul 14, 2030(~4 yrs left)· nominal 20-yr term from priority
H04L 9/3247H04L 63/08H04L 63/126H04L 61/1511H04L 61/4511
82
PatentIndex Score
7
Cited by
1,204
References
36
Claims
Abstract
A method, computer readable medium, and device for providing authenticated domain name service includes forwarding at a traffic management device a request for a domain name from a client device to one or more servers coupled to the traffic management device. The traffic management device receives a first response comprising at least a portion of the domain name from the one or more servers. The traffic management device attaches a first signature to the first response when the first response is determined by the traffic management device to be an unauthenticated response, and provides the first response with the first signature to the client device.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A method for providing authenticated domain name service comprising:
forwarding at a traffic management device a domain name system security extension (DNSSEC) type request for a domain name received from a client device to one or more domain name system (DNS) servers;
receiving at the traffic management device a response for at least a portion of the domain name from the one or more servers, wherein the one or more servers are not domain name system security extension (DNSSEC) compliant;
creating at the traffic management device a resource record when the response is determined to be a denial of existence response for the requested domain name;
generating at the traffic management device a signature and signing the response or the resource record using the signature; and
sending at the traffic management device the signed resource record or response to the client device in response to the request.
2. The method as set forth in claim 1 , wherein the one or more servers are authoritative for a zone associated with the at least a portion of the domain name.
3. The method as set forth in claim 1 , wherein the signing further comprises encrypting the response or the resource record using a stored private key, the method further comprising performing at the traffic management device a hash of the encrypted response or resource record prior to the sending.
4. The method as set forth in claim 1 , wherein the at least a portion of the domain name comprises a top-level domain name that is known to be authenticated.
5. The method as set forth in claim 1 , wherein at least one of the first or second server is authoritative for a zone associated with the at least a portion of the domain name.
6. A non-transitory computer readable medium having stored thereon instructions for providing authenticated domain name service comprising machine executable code which when executed by at least one processor, causes the processor to perform steps comprising:
forwarding a domain name system security extension (DNSSEC) type request for a domain name received from a client device to one or more domain name system (DNS) servers;
receiving a response for at least a portion of the domain name from the one or more servers, wherein the one or more servers are not domain name system security extension (DNSSEC) compliant;
creating a resource record when the response is determined to be a denial of existence response for the requested domain name;
generating a signature and signing the response or the resource record using the signature; and
sending the signed resource record or response to the client device in response to the request.
7. The medium as set forth in claim 6 , wherein the one or more servers are authoritative for a zone associated with the at least a portion of the domain name.
8. The medium as set forth in claim 6 , wherein the signing further comprises encrypting the response or the resource record using a stored private key, the medium further having stored thereon instructions comprising machine executable code which when executed by the at least one processor causes the processor to perform steps further comprising performing a hash of the encrypted response or resource record prior to the sending.
9. The medium as set forth in claim 6 , wherein the at least a portion of the domain name comprises a top-level domain name that is known to be authenticated.
10. A traffic management device comprising:
at least one processor; and
a memory coupled to the at least one processor which is configured to be capable of executing programmed instructions stored in the memory to perform steps comprising:
forwarding a domain name system security extension (DNSSEC) type request for a domain name received from a client device to one or more domain name system (DNS) servers;
receiving a response for at least a portion of the domain name from the one or more servers, wherein the one or more servers are not domain name system security extension (DNSSEC) compliant;
creating a resource record when the response is determined to be a denial of existence response for the requested domain name;
generating a signature and signing the response or the resource record using the signature; and
sending the signed resource record or response to the client device in response to the request.
11. The device as set forth in claim 10 , wherein the one or more servers are authoritative for a zone associated with the at least a portion of the domain name.
12. The device as set forth in claim 10 , wherein the signing further comprises encrypting the response or the resource record using a stored private key, the at least one processor further configured to be capable of executing programmed instructions stored in the memory to perform steps further comprising performing a hash of the encrypted first response or resource record prior to the sending.
13. The device as set forth in claim 10 , wherein the at least a portion of the domain name comprises a top-level domain name that is known to be authenticated.
14. A method for providing authenticated domain name service comprising:
forwarding at a traffic management device a domain name system security extension (DNSSEC) type request for a domain name received from a client device to a global server load balancer coupled to at least first domain name system (DNS) server that is not DNSSEC compliant and a second DNS server that is DNSSEC compliant;
receiving at the traffic management device first and second responses for at least a portion of the domain name from the global server load balancer, wherein the first response is from the first server and the second response is from the second server;
generating at the traffic management device a signature and signing the first response using the signature when the first response is determined to be more current than the second response; and
sending at the traffic management device the signed first response to the client device in response to the request.
15. The method as set forth in claim 1 , wherein the first and second responses are denial of existence responses and the method further comprises:
creating at the traffic management device a resource record;
generating at the traffic management device a signature and signing the first or second response or the resource record using the signature; and
sending at the traffic management device the signed resource record or first or second response to the client device in response to the request.
16. The method as set forth in claim 15 , wherein the signing further comprises encrypting the first or second response or the resource record using a stored private key, the method further comprising performing at the traffic management device a hash of the encrypted first or second response or resource record prior to the sending.
17. A non-transitory computer readable medium having stored thereon instructions for providing authenticated domain name service comprising machine executable code which when executed by at least one processor, causes the processor to perform steps comprising:
forwarding a domain name system security extension (DNSSEC) type request for a domain name received from a client device to a global server load balancer coupled to at least first domain name system (DNS) server that is not DNSSEC compliant and a second DNS server that is DNSSEC compliant;
receiving first and second responses for at least a portion of the domain name from the global server load balancer, wherein the first response is from the first server and the second response is from the second server;
generating a signature and signing the first response using the signature when the first response is determined to be more current than the second response; and
sending the signed first response to the client device in response to the request.
18. The medium as set forth in claim 17 , wherein the first and second responses are denial of existence responses and the medium further has stored thereon instructions comprising machine executable code which when executed by the at least one processor causes the processor to perform steps further comprising:
creating at the traffic management device a resource record;
generating at the traffic management device a signature and signing the first or second response or the resource record using the signature; and
sending at the traffic management device the signed resource record or first or second response to the client device in response to the request.
19. The medium as set forth in claim 18 , wherein the signing further comprises encrypting the first or second response or the resource record using a stored private key, the medium further having stored thereon instructions comprising machine executable code which when executed by the at least one processor causes the processor to perform steps further comprising performing a hash of the encrypted first or second response or resource record prior to the sending.
20. The medium as set forth in claim 17 , wherein at least one of the first or second server is authoritative for a zone associated with the at least a portion of the domain name.
21. A traffic management device comprising:
at least one processor; and
a memory coupled to the at least one processor which is configured to be capable of executing programmed instructions stored in the memory to perform steps comprising:
forwarding a domain name system security extension (DNSSEC) type request for a domain name received from a client device to a global server load balancer coupled to at least first domain name system (DNS) server that is not DNSSEC compliant and a second DNS server that is DNSSEC compliant;
receiving first and second responses for at least a portion of the domain name from the global server load balancer, wherein the first response is from the first server and the second response is from the second server;
generating a signature and signing the first response using the signature when the first response is determined to be more current than the second response; and
sending the signed first response to the client device in response to the request.
22. The device as set forth in claim 21 , wherein the first and second responses are denial of existence responses and the at least one processor is further configured to be capable of executing programmed instructions stored in the memory to perform steps further comprising:
creating at the traffic management device a resource record;
generating at the traffic management device a signature and signing the first or second response or the resource record using the signature; and
sending at the traffic management device the signed resource record or first or second response to the client device in response to the request.
23. The device as set forth in claim 22 , wherein the signing further comprises encrypting the first or second response or the resource record using a stored private key, the at least one processor further configured to be capable of executing programmed instructions stored in the memory to perform steps further comprising performing a hash of the encrypted first or second response or resource record prior to the sending.
24. The device as set forth in claim 21 , wherein at least one of the first or second server is authoritative for a zone associated with the at least a portion of the domain name.
25. A non-transitory computer readable medium having stored thereon instructions for providing authenticated domain name service comprising machine executable code which when executed by at least one processor, causes the processor to:
receive a domain name system security extension (DNSSEC) request for a domain name from a DNSSEC compliant computing device; generate a domain name system (DNS) request corresponding to the DNSSEC request for the domain name; send the DNS request for the domain name to one or more DNS servers that are not DNSSEC compliant; receive a DNS compliant response for at least a portion of the domain name from the one or more DNS servers; create a signed resource record that is DNSSEC compliant when the DNS compliant response from the one or more DNS servers is a denial of existence response for the requested domain name; and send the signed resource record to the requesting DNSSEC compliant computing device.
26. The medium as set forth in claim 25, wherein the DNS servers are authoritative for a zone associated with the at least a portion of the domain name.
27. The medium as set forth in claim 25, wherein the executable code, when executed by the processor, further causes the processor to:
encrypt the signed resource record using a stored private key; and perform a hash of the encrypted signed resource record prior to sending the signed resource record to the requesting DNSSEC compliant computing device.
28. The medium as set forth in claim 25, wherein the at least a portion of the domain name comprises a top-level domain name that is known to be authenticated.
29. A method for providing authenticated domain name service implemented by a system comprising one or more network traffic management devices, one or more servers, or one or more clients, the method comprising:
receiving a domain name system security extension (DNSSEC) request for a domain name from a DNSSEC compliant computing device; generating a domain name system (DNS) request corresponding to the DNSSEC request for the domain name; sending the DNS request for the domain name to one or more DNS servers that are not DNSSEC compliant; receiving a DNS compliant response for at least a portion of the domain name from the one or more DNS servers; creating a signed resource record that is DNSSEC compliant when the DNS compliant response from the one or more DNS servers is a denial of existence response for the requested domain name; and sending the signed resource record to the requesting DNSSEC compliant computing device.
30. The method as set forth in claim 29, wherein the DNS servers are authoritative for a zone associated with the at least a portion of the domain name.
31. The method as set forth in claim 29, further comprising:
encrypting the signed resource record using a stored private key; and performing a hash of the encrypted signed resource record prior to sending the signed resource record to the requesting DNSSEC compliant computing device.
32. The method as set forth in claim 25, wherein the at least a portion of the domain name comprises a top-level domain name that is known to be authenticated.
33. A system comprising one or more network traffic management devices, one or more servers, or one or more clients, the system comprising:
one or more processors; and memory comprising programmed instructions stored in the memory, the one or more processors configured to be capable of executing the programmed instructions stored in the memory to:
receive a domain name system security extension (DNSSEC) request for a domain name from a DNSSEC compliant computing device;
generate a domain name system (DNS) request corresponding to the DNSSEC request for the domain name;
send the DNS request for the domain name to one or more DNS servers that are not DNSSEC compliant;
receive a DNS compliant response for at least a portion of the domain name from the one or more DNS servers;
create a signed resource record that is DNSSEC compliant when the DNS compliant response from the one or more DNS servers is a denial of existence response for the requested domain name; and
send the signed resource record to the requesting DNSSEC compliant computing device.
34. The system as set forth in claim 33, wherein the DNS servers are authoritative for a zone associated with the at least a portion of the domain name.
35. The system as set forth in claim 33, wherein the one or more processors are further configured to be capable of executing the programmed instructions stored in the memory to:
encrypt the signed resource record using a stored private key; and perform a hash of the encrypted signed resource record prior to sending the signed resource record to the requesting DNSSEC compliant computing device.
36. The system as set forth in claim 33, wherein the at least a portion of the domain name comprises a top-level domain name that is known to be authenticated.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.