December 7, 2016

Internet Infrastructure Supports DNSSEC Now

DNSSEC is now up and running in all of the internet root servers. Rod Beckstrom, president and CEO of ICANN, the governing body for Internet domains, at Black Hat 2010 conference made this announcement. Nine top-level Internet domains have also now been signed with DNSSEC, including in .uk, .org, and others.

“We expect another dozen or so to take this step over the coming weeks,” Beckstrom said. He says others should be DNSSEC-signed in the next 12 months.

What is DNSSEC?

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect other information such as general-purpose cryptographic certificates stored in CERT records in the DNS. RFC 4398 describes how to distribute these certificates, including those for email, making it possible to use DNSSEC as a worldwide public key infrastructure for email.

DNSSEC records:

  • RRSIG
  • DNSKEY
  • DS
  • NSEC

How it works?

DNSSEC works by digitally signing these records for DNS lookup using public-key cryptography. The correct DNSKEY record is authenticated via a chain of trust, starting with a set of verified public keys for the DNS root zone which is the trusted third party.

Please visit http://en.wikipedia.org/wiki/DNSSec for more information. This page has been used as a reference for this article.

[ad code=2 align=center]

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks