Abstract: A method for adding a blacklisted site to a whitelist. At least one whitelisting query may be generated for an encoded domain in the tag format: a nonce, a hash, a blocked-domain, and a static domain, each separated by a delimiter. The nonce is a unique identifier for the at least one query. The hash is a cryptographic hash of an IP address of the user, a normalized timestamp, and the blocked domain. The static domain is a constant domain representing the at least one query. The at least one query may be sent to a first recursive DNS server. The first recursive DNS server may create a message including whitelist information. The first recursive DNS server may send the message to a second recursive DNS server.

Abstract: Implementations relate to systems and methods for pre-signing of DNSSEC enabled zones into record sets. A domain name system (DNS) can receive and/or impose a set of DNS policies desired by an administrator, or the DNS operator itself to govern domain name resolution with security extensions (DNSSEC) for a Web domain. The DNS can generate a set of answers to user questions directed to the domain based on the set of policies. Those answers which differ or vary based on policy rules can be stored as variant answers, and can be labeled with a variant ID. The variant answers can be pre-signed and stored in the DNS. Because key data and other information is generated and stored before a DNS request is received, the requested variant answer can be returned with greater responsiveness and security.

Abstract: A method for adding a blacklisted site to a whitelist. At least one whitelisting query may be generated for an encoded domain in the tag format: a nonce, a hash, a blocked-domain, and a static domain, each separated by a delimiter. The nonce is a unique identifier for the at least one query. The hash is a cryptographic hash of an IP address of the user, a normalized timestamp, and the blocked domain. The static domain is a constant domain representing the at least one query. The at least one query may be sent to a first recursive DNS server. The first recursive DNS server may create a message including whitelist information. The first recursive DNS server may send the message to a second recursive DNS server.

Abstract: Systems and methods for instantaneously updating a DNS system database containing DNS records using partitions and atomic switching are disclosed. In one or more implementations, the system may include clients, a network, and a DNS system. Clients may communicate with the DNS system using the network in order to provide DNS record updates to a DNS system database. The DNS system includes distributed denial of service (“DDOS”) protection proxies, a firewall, and zone relays, allowing clients to specify which name servers are authorized to communicate with the DNS system. The DNS system also supports bulk updates of DNS records without causing clients to experience a reduction in performance, by writing DNS records to a hard disk and simultaneously saving the DNS records to the database in batches.

Abstract: A method for adding a blacklisted site to a whitelist includes requesting a blacklisted site via a network, the blacklisted site having a domain name of the format <blocked-domain>. The method includes generating queries for an encoded domain, the encoded domain being of the format <nonce>.<hash>.<blocked-domain>.<static domain>, sending the queries to a recursive DNS server, and sending responses based on the queries to a cache of a web browser. The method includes requesting by the web browser the blacklisted site, adding the blacklisted site to the whitelist, sending an IP address corresponding to the blacklisted site to the web browsers, and accessing the blacklisted site.

Abstract: Implementations relate to systems and methods for pre-signing of DNSSEC enabled zones into record sets. A domain name system (DNS) can receive and/or impose a set of DNS policies desired by an administrator, or the DNS operator itself to govern domain name resolution with security extensions (DNSSEC) for a Web domain. The DNS can generate a set of answers to user questions directed to the domain based on the set of policies. Those answers which differ or vary based on policy rules can be stored as variant answers, and can be labeled with a variant ID. The variant answers can be pre-signed and stored in the DNS. Because key data and other information is generated and stored before a DNS request is received, the requested variant answer can be returned with greater responsiveness and security.

Abstract: Systems and methods of performing incremental DNSSEC signing at a registry are described in which digital signature operations may be performed as part of a single transaction including DNS add, update, and/or delete operations and the like. Exemplary methods may include receiving a domain command from a requester, the domain command including an identifier of a domain. The received domain command may be executed with respect to data stored by the registry for the domain. As part of an individual transaction including the execution of the domain command, the registry may also sign DNSSEC records for the domain using a private key of an authoritative server. After the DNSSEC records have been signed, the registry may incrementally publish the signed DNSSEC records to a separate server.

Abstract: A method for adding a blacklisted site to a whitelist includes requesting a blacklisted site via a network, the blacklisted site having a domain name of the format <blocked-domain>. The method includes generating queries for an encoded domain, the encoded domain being of the format <nonce>.<hash>.<blocked-domain>.<static domain>, sending the queries to a recursive DNS server, and sending responses based on the queries to a cache of a web browser. The method includes requesting by the web browser the blacklisted site, adding the blacklisted site to the whitelist, sending an IP address corresponding to the blacklisted site to the web browsers, and accessing the blacklisted site.

Abstract: Systems and methods for instantaneously updating a DNS system database containing DNS records using partitions and atomic switching are disclosed. In one or more implementations, the system may include clients, a network, and a DNS system. Clients may communicate with the DNS system using the network in order to provide DNS record updates to a DNS system database. The DNS system includes distributed denial of service (“DDOS”) protection proxies, a firewall, and zone relays, allowing clients to specify which name servers are authorized to communicate with the DNS system. The DNS system also supports bulk updates of DNS records without causing clients to experience a reduction in performance, by writing DNS records to a hard disk and simultaneously saving the DNS records to the database in batches.

Abstract: Systems and methods of performing incremental DNSSEC signing at a registry are described in which digital signature operations may be performed as part of a single transaction including DNS add, update, and/or delete operations and the like. Exemplary methods may include receiving a domain command from a requester, the domain command including an identifier of a domain. The received domain command may be executed with respect to data stored by the registry for the domain. As part of an individual transaction including the execution of the domain command, the registry may also sign DNSSEC records for the domain using a private key of an authoritative server. After the DNSSEC records have been signed, the registry may incrementally publish the signed DNSSEC records to a separate server.

Abstract: Systems and methods of transferring a DNSSEC enabled domain from a losing hosting provider to a gaining hosting provider are described in which the transfer of the domain may be achieved without disruption to a DNSSEC validation of the domain. Systems and methods, such as those directed to registry and/or registrar servers, may include transferring a DNSKEY or Delegation Signer (DS) record from a gaining hosting provider to a losing hosting provider prior to transferring the domain from the losing hosting provider to the gaining hosting provider. A gaining hosting provider may sign DNS records of the domain with the gaining hosting provider DNSKEY prior to transferring the domain from the losing hosting provider to the gaining hosting provider. Additionally, a registry server, or similar device, may be configured to act as an intermediary between the losing hosting provider and the gaining hosting provider during the transfer process.