DNSSEC: What Is It Good For?

    Date07 Apr 2005
    Posted ByBrittany Day
    DNSSEC, which stands for DNS Security Extensions, is a method by which DNS servers can verify that DNS data is coming from the correct place, and that the response is unadulterated. In this article we will discuss what DNSSEC can and cannot do, and then show a simple ISC Bind 9.3.x configuration example.

    DNSSEC is a public/private key system. This means that the owner of a DNS zone has a private key and a public key. Using the private key to digitally sign a zone will allow anyone with the zone's public key to verify that the data is authentic. As with all public key crypto systems, the method by which the entire world obtains your public key is a problem. If an attacker can intercept the transmission of your public key, the entire zone is compromised, so sending keys via email or other Internet vehicles probably isn't a good idea.

    The proposed solution to the basic key management problem is to have Network Solutions sign everyone's public key. For example; myname.com will create a key, sign it, and then send it to Network Solutions for signing. DNS servers around the world who have Network Solutions' key are now able to reject DNS records about myname.com that aren't accompanied by the appropriate signatures.

    This is the proposed method for global DNSSEC. It hasn't happened. There is no Network Solutions key that everyone knows, and Network Solutions has no mechanism to gather *.com keys. The highest level domain, '.' (dot), also needs to be under some administrative control. IANA or ICANN can hold this key, and sign all TLD's (.com, .org, etc), but the political mess this would create puts the implementation a long ways off. Whether the U.S. holds the key to the entire Internet or not, someone must before DNSSEC can work globally. Until this is in place, DNSSEC cannot protect anything outside your administrative control or access; meaning you have to manually distribute keys.

    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"65","type":"x","order":"1","pct":57.52,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.27,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.2,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.