php-deluxe.net - description DNSSEC

DNSSEC

DNSSEC (short for DNS Security Extensions) adds security to the Domain Name System (DNS) used on Internet Protocol networks. It is a set of extensions to DNS, which provide:

origin authentication of DNS data

data integrity, and

authenticated denial of existence

DNSSEC was designed to protect the Internet from certain attacks such as DNS cache poisoning. All answers in DNSSEC are digital signature. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the info on the authoritative DNS server.

There are several distinct classes of threats to the DNS, most of which are DNS-related instances of more general problems, but a few of which are specific to peculiarities of the DNS protocol. RFC 3833 attempts to document some of the known threats to the DNS, and, in doing so, attempts to measure to what extent DNSSEC is a useful tool in defending against these threats.

DNSSEC does not provide confidentiality of data. Also, DNSSEC does not protect against Denial of service attacks.

The DNSSEC specifications (called DNSSEC-bis ) describe the current DNSSEC protocol in great detail. See RFC 4033, RFC 4034, and RFC 4035. With the publication of these new RFCs (March 2005), RFC 2535 has become obsolete.

=External links=

[http://www.dnssec.net/ DNSSEC] - DNSSEC information site: DNSSEC.net

[http://www.ietf.org/html.charters/dnsext-charter.html DNSEXT] DNS Extensions Working Group at IETF

RFC 3833 A Threat Analysis of the Domain Name System

RFC 4033 DNS Security Introduction and Requirements ( DNSSEC-bis )

RFC 4034 Resource Records for the DNS Security Extensions ( DNSSEC-bis )

RFC 4035 Protocol Modifications for the DNS Security Extensions ( DNSSEC-bis )

[http://www.nlnetlabs.nl/dnssec/history.html A short timeline of DNSSEC] by Miek Gieben

[http://www.ripe.net/projects/disi/dnssec_howto/dnssec_howto.html DNSSEC Howto] by Olaf Kolkman (RIPE NCC)