crypto-validated?
Jim Reid
jim at rfc1035.com
Tue Dec 19 19:45:26 UTC 2000
>>>>> "fred" == fred pasteck <fred_pasteck at yahoo.com> writes:
fred> Hi. I was interested in what a "Answer crypto-validated by
fred> server:" message means when performing an nslookup?
Here's what the code says:
if (headerPtr->ad)
printf("Answer crypto-validated by server:\n");
So if the AD bit - authentic data - is set in the DNS header of the
answer, nslookup prints that message.
The AD bit should only be set if the server sending the answer is
DNSSEC-aware and has validated the cryptographic signature(s) on the
resource record(s) in the answer. DNSSEC - Secure DNS - is an
extension of the DNS protocol to allow answers to be verified. For
instance an answer to a lookup for www.example.com could be checked
with DNSSEC to ensure it returns valid data from a genuine name
server for the example.com zone and that the answer from that server
was not tampered with on its way back to whatever made the
lookup. Strong hash algorithms like SHA or MD5 allied to public-key
cryptography are used to implement DNSSEC. Some of the gory details
can be found in RFC2535 and RFC2931.
More information about the bind-users
mailing list