SIG Resource Record
With the SIG Resource Record or Signature Resource Record , any resource records can be digitally signed within the framework of DNSSEC (DNS Security) . The SIG type is no longer in use and was replaced in 2004 by the almost identical RRSIG Resource Record .
background
A user who receives an answer to a DNS request (e.g. an IP address ) cannot be sure that the answer really comes from a regular name server and that it was not corrupted during the transport. The solution is to digitally sign Resource Records.
A digital signature requires a public key process. The name server, which is the master authoritative for a DNS entry, signs it with its private key. Resolvers can verify the digital signature at any time, provided they know the public key of the name server.
construction
A SIG Resource Record consists of the following fields:
- Surname
- of the digitally signed RR
- Current TTL
- specifies how long this entry can be kept in the cache
- Class
- always IN
- KEY
- Type
- of the signed RR - e.g. B. A , NS , SOA
- Encryption algorithm
- (1 = MD5 , 2 = Diffie-Hellman , 3 = DSA )
- Number of name components
- for wildcard resolution see RFC 2535
- TTL
- at the time of signature
- Starting time
- from which the signature is valid
- End time
- up to which the signature is valid
- unique number
- to distinguish between multiple signatures
- Name of the signatory
- actual signature
example
In this example, an A-RR is digitally signed:
www.child.example. 1285 IN A 1.2.3.15
www.child.example. 1285 SIG (
A ; Typ ist A-RR
3 ; DSA-Encryption
3 ; Name hat 3 Komponenten
1285 ; Original-TTL
20040327122207 ; Anfangszeitpunkt
20040226122207 ; Endzeitpunkt
22004 ; eindeutige Nummer
child.example. ; Name des Unterzeichners
BMTLR80WnKndatr77OirBtprR9SLKoZUiPWX
U5kViDi+5amYW/GFCp0= )
Web links
- RFC 2535 - DNS Security Extension