267
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: + + + + + + + +
Domain Name System Security Extensions (view source)
Revision as of 11:38, 21 November 2016
, 7 years agono edit summary
The '''Domain Name System Security Extensions''' is a set of [[DNS|Domain Name System]] (DNS) extensions which enables communication authentication between hosts and DNS data, while ensuring data integrity. DNSSEC is used for securing specific information provided by [[DNS]].
The '''Domain Name System Security Extensions''' is a set of [[DNS|Domain Name System]] (DNS) extensions which enables communication authentication between hosts and DNS data, while ensuring data integrity. DNSSEC is used for securing specific information provided by [[DNS]].
DNSSEC (Domain Name System Security Extensions) adds resource records and message header bits which can be used to verify that the requested data matches what the zone administrator put in the zone and has not been altered in transit. DNSSEC doesn’t provide a secure tunnel; it doesn’t encrypt or hide DNS data. It was designed with backwards compatibility in mind. The original standard DNS protocol continues to work the same.
The new resource record types are: RRSIG (for digital signature), DNSKEY (the public key), DS (Delegation Signer), and NSEC (pointer to next secure record). The new message header bits are: AD (for authenticated data) and CD (checking disabled). A DNSSEC validating resolver uses these records and public key (asymmetric) cryptography to prove the integrity of the DNS data. A private key (specific to a zone) is used to encrypt a hash of a set of resource records — this is the digital signature stored in a RRSIG record.
The corresponding public key is stored in the DNSKEY resource record. The validating resolver uses that DNSKEY to decrypt the RRSIG and then compares the result with the hash of the corresponding resource record set to verify it is not changed. A hash of the public DNSKEY is stored in a DS record. This is stored in the parent zone. The validating resolver retrieves from the parent the DS record and its corresponding signature (RRSIG) and public key (DNSKEY); a hash of that public key is available from its parent. This becomes a chain of trust — also called an authentication chain. The validating resolver is configured with a trust anchor — this is the starting point which refers to a signed zone. The trust anchor is a DNSKEY or DS record and should be securely retrieved from a trusted source (not using DNS).
Also all the names in the zone have corresponding NSEC records listed in order creating a chain of all the signed record sets. (Corresponding RRSIG records are also created to verify the NSEC data.) Because there is no gap, NSEC records are used to provide proof of non-existence of an resource record or to authenticate negative replies.
==Overview==
==Overview==
The main goal of DNSSEC is to protect against [[Data Spoofing|data spoofing]] and corruption. Initially, it was called only [[DNS]] (Domain Name System) and did not include security extensions. The main DNSSEC extensions are specified by RFC4033, RFC4034, and RFC4035. There are also some additional [[RFC]]s which provide supporting information. <ref>[http://www.dnssec.net DNSSEC Official Website/]</ref>
The main goal of DNSSEC is to protect against [[Data Spoofing|data spoofing]] and corruption. Initially, it was called only [[DNS]] (Domain Name System) and did not include security extensions. The main DNSSEC extensions are specified by RFC4033, RFC4034, and RFC4035. There are also some additional [[RFC]]s which provide supporting information. <ref>[http://www.dnssec.net DNSSEC Official Website/]</ref>