In the evolution of the domain name system (DNS) used to locate Web sites and other resources on the Internet and other networks, the issue of security has taken on increased importance over time. In response to evolving security needs, organizations in the industry have proposed and developed extensions to the baseline DNS protocol to permit the introduction of security measures in the delivery of DNS services. In general these known standards are referred to as DNS with security extensions, or DNSSEC.
In particular, the need has presented itself to allow users running a Web browser or other software to be assured that the Internet Protocol (IP) address delivered to them when attempting to navigate to a known universal resource locator (URL) is genuine, and represents the Web site they are trying to access. Bogus IP addresses can be delivered to unwitting users due to cache poisoning or other attacks on the DNS servers used to retrieve and serve the IP address of a given domain name, or other answers provided by the DNS system.
In terms of Web site deployment, many Web sites today consist of a number of hierarchical sections or partitions, each of which has a different extended domain name. For instance, a Web site related to sports news may have a root level such as SportsPage.com, and in addition a number of sections or “zones” dedicated to individual sports activities. Those topics might be reflected in domains such as Golf.SportsPage.com, Soccer.SportsPage.com, and so forth.
A user navigating within SportsPage.com can provide one or more questions or requests to the DNS system supporting that Web site, such as for an IP address, or for other information. The answer to the user's question may be generated from within various zones within the Web site. To ensure the user receives a valid answer, a DNSSEC-enabled domain requires a series of messages signed with a signature generated using public/private key information. While the DNSSEC protocol therefore supplies an authentication service to users navigating through Web properties, as the depth and hierarchical links of a domain's zones become more complicated, the burden on processing and bandwidth resources of the DNS system becomes great. That burden can reduce DNS responsiveness.
In addition, for Web site owners who wish to apply flexible DNS policies while using a DNSSEC arrangement, matters can be complicated even further. That is, an operator deploying a relatively rich Web site with a number of zones may wish to apply rules to individual requestors so that their DNS lookups or answers are directed to different servers, and/or the zones of the domain, based on the user's location, time and/or date, server loads, the user's device and/or software, the user's identity, costs, pricing, server availability, and/or based on other factors. Identifying information about the users, applying the appropriate policies, and then generating the necessary signatures that will allow their specific answer to be authenticated can likewise incur a penalty in terms of performance, and the user's perception of system responsiveness.
It may be desirable to provide methods and systems for pre-signing of DNSSEC enabled zones into record sets, in which a domain name system can accept an arbitrary set of policies from a domain owner, translate those policies into a set of pre-generated signed answers or other zone files, and transmit the signed answer to the user based on stored resource records, rather than answers which must be generated and/or signed on-demand.