DNSSEC: DNS Security Extensions
Securing the Domain Name System

Dnssec.net
DNSSEC.NET BIND9.NET BGP4.AS HONEYPOTS.NET WARDRIVE.NET FORENSICS.NL SECURITYBOOKS NETWORKINGBOOKS
Securing the Domain Name System with DNSSEC DNS, BIND, DHCP, LDAP Resource Directory Border Gateway Protocol and Advanced Routing Intrusion Detection, Honeypots & Incident Response Wireless LAN (802.11) Security and Wardriving Computer Forensics and Cybercrime Resources The Computer Security Bookstore The Networking & Sysadmin Bookstore


 All about DNSSEC
Why Deploy DNSSEC
DNSSEC Papers, Articles
DNSSEC Presentations
DNSSEC Research
DNS Threats & Weaknesses
DNSSEC News & Announcements

 DNSSEC Software & Practical
DNSSEC Software & Tools
DNSSEC Projects, Testbeds
DNSSEC Setup & Implementation
DNSSEC Training, Workshops

 IETF Protocol Reference (RFC)
DNSSEC related RFCs (IETF)

Home - About - Contact

Always handy:
DNSSEC Intro RFC (RFC 4033)
DNSSEC Records RFC (RFC 4034)
DNSSEC Protocol RFC (RFC 4035)
DNSSEC NSEC3 RFC (RFC 5155)
DNSSEC + EPP RFC (RFC 5910)
DNSSEC Operational Practices
The RFC Archive






** BIND & DNSSEC Training **
from the Experts!

Internet Systems Consortium (ISC) is excited to announce a new DNSSEC Training.

The ISC DNSSEC Technical Workshop covers DNSSEC Implementation and Deployment.

Complete international training schedule is available here. On-site trainings are also possible.
 What is DNSSEC?

The Root DNSSEC Design Team is pleased to report that the first fully validatable production signed root zone, with SOA serial number 2010071501, was published and began rolling out to the root servers at 2050 UTC.

The Root Trust Anchor can be found at the IANA DNSSEC website.

Here is a first press release from ISC, which operates the F-Root DNS Servers.

Press release from ICANN, which has a 'coordination' role of the Internet's naming system.

Press release from VeriSign, which operates two of the DNS Root Servers (A+J).

Press release from US Department of Commerce, which is principally responsible for advising the US President on communications and information policies.

The Whitehouse, Office of Science and Technology Policy, also writes about the DNSSEC Signed Root Zone.


DNSSEC (short for DNS Security Extensions) adds security to the Domain Name System.

DNSSEC was designed to protect the Internet from certain attacks, such as DNS cache poisoning [0]. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence.

These mechanisms require changes to the DNS protocol. DNSSEC adds four new resource record types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS), and Next Secure (NSEC). These new RRs are described in detail in RFC 4034.

It also adds two new DNS header flags: Checking Disabled (CD) and Authenticated Data (AD). In order to support the larger DNS message sizes that result from adding the DNSSEC RRs, DNSSEC also requires EDNS0 support (RFC 2671).

Finally, DNSSEC requires support for the DNSSEC OK (DO) EDNS header bit (RFC 3225) so that a security-aware resolver can indicate in its queries that it wishes to receive DNSSEC RRs in response messages. By checking the signature, a DNS resolver is able to check if the information is identical (correct and complete) to the info on the authoritative DNS server.

DNSSEC services protect against most of the threats to the Domain Name System. There are several distinct classes of threats to the Domain Name System, most of which are DNS-related instances of more general problems, but a few of which are specific to peculiarities of the DNS protocol.

Note that DNSSEC does not provide confidentiality of data. Also, DNSSEC does not protect against DDoS Attacks.

------
[0] A comprehensive Threat Analysis of the Domain Name System can be found in RFC 3833. This RFC attempts to describe some of the known threats to the DNS, and --in doing so-- attempts to measure to what extent DNSSEC is a useful tool in defending against these threats.

More information (research, publications, links) about DNS Weaknesses can be found in the DNS Threats section.
 DNS Security Extensions

This website is your independent starting point for all DNSSEC and Secure DNS related information. You will find all major DNSSEC presentations, DNSSEC publications and DNSSEC research documents.

The core of the DNSSEC specification is described in the following 3 RFCs, published March 2005:

  • RFC 4033 - DNS Security Introduction and Requirements
  • RFC 4034 - Resource Records for the DNS Security Extensions
  • RFC 4035 - Protocol Modifications for the DNS Security Extensions


  • RFC 5155 (March 2008) introduces an alternative resource record, NSEC3, which provides additional measures against zone enumeration and permits gradual expansion of delegation-centric zones.

  • RFC 5155 - DNS Security (DNSSEC) Hashed Authenticated Denial of Existence


  • Related RFCs, such as RFC 5910, describe how to map DNSSEC for the Extensible Provisioning Protocol (EPP). RFC 4641 describes DNSSEC Operational Practices.

  • RFC 5910 - Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)
  • RFC 4641 - DNSSEC Operational Practices


  • DNSSEC Key Management, including Key Rollover, is done using specialized DNSSEC software, which can be standalone tools or add-ons to your existing DNS software. All major DNS software will have full or partial DNSSEC functionality built-in within the next years.

    To make deployment of DNSSEC easier, one can also buy a dedicated "DNSSEC Appliance", which acts as an automated DNS signer for DNS zones. Several vendors are already offering commercial and non-commercial solutions for signing DNS in real time, some of them using external cryptographic hardware such as HSM (Hardware Security Modules), including USB tokens and smart cards.

    General background info on the Domain Name System (DNS) and its workings is available on our companion website Bind9.net - in the DNS Links and DNS RFCs sections in particular.

    Related Reading
    DNSSEC Papers, Articles
    DNSSEC Presentations
    DNSSEC Tools
    DNSSEC Threats and Weaknesses
    DNS Links & Whitepapers
    BIND Howtos and Articles
    Domain Registration & EPP Resources

    DNSSEC Basics
    Essential Reading



    DNSSEC Deployment at the DNS Root Zone: Requirements, Policies, and Status Updates
    ICANN & Verisign, Dec 2009



    Secure Domain Name System (DNS) Deployment Guide
    NIST Special Publication 800-81, Apr 2010



    Hardening the Internet: The Impact and Importance of DNSSEC
    SURFnet, Paul Brand, Rick van Rein, Roland van Rijswijk, David Yoshikawa, 2009



    7 Things You Should Know About DNSSEC
    EDUCAUSE, Jan 2010



    DNSSEC in 6 Minutes
    Alan Clegg, Internet
    Systems Consortium,
    Jun 2008

    The Signed Root Is Coming! (And what this means for you)
    Peter Loscher, Internet
    Systems Consortium,
    Jan 2010

    Are you ready for DNSSEC? And what to ask your vendors
    Michael Graff, Internet
    Systems Consortium,
    May 2010



    DNSSEC Howto 2009
    Olaf Kolkman,
    NLnet Labs / RIPE NCC, Jun 2009

    DNSSEC Training Course
    Olaf Kolkman, RIPE NCC,
    Q3/2004

    DNSSEC Deployment at the RIPE NCC
    (part of the reverse DNS restructuring project)
    RIPE NCC, Jul 2005

    DNSSEC Key Management Tools released
    Olaf Kolkman,
    RIPE NCC, Apr 2005



    Good Practices Guide for Deploying DNSSEC
    ENISA, Mar 2010

    Study on the Costs of DNSSEC Deployment
    ENISA, Nov 2009

    Resilience Features in Communication Networks: IPv6, DNSSEC and MPLS
    ENISA, Jan 2009

    Stock Taking Report on the Technologies Enhancing Resilience of Public Communication Networks in the EU Member States
    ENISA, May 2009



    DNSSEC Deployment
    Programme Website

    ISOC Deploy360

    DNSSEC Part 1
    The Theory

    Geoff Huston, ISOC, Aug 2006

    DNSSEC Part 2
    The Practice

    Geoff Huston, ISOC, Sep 2006

    DNSSEC Part 3
    The Opinion

    Geoff Huston, ISOC, Oct 2006



    DNSSEC Training Material
    NLnet Labs, Oct 2008



    DNSSEC: The Protocol, Deployment, and a Bit of Development
    Miek Gieben in Cisco IPJ Magazine, Jun 2004

    DNSSEC.NET BIND9.NET BGP4.AS HONEYPOTS.NET WARDRIVE.NET FORENSICS.NL SECURITYBOOKS NETWORKINGBOOKS

    © 2002-2019 DNSSEC.NET. All rights reserved.
    Page last modified on Wed 26 September 2018 06:35:06 CET
    DNS SECURITY
    Privacy Statement


    af183d41d32b8d2060360fbf713dd70a