So, this week we'll dive head first into DNSSEC. I'll address some basic background information about what it is, what it does and what it does not do. It seems to be pretty well misunderstood by many people.
DNSSEC stands for the DNS Security Extensions which the IETF created to help "secure" the DNS query-response process (resolution). In a nutshell, when querying from a DNSSEC-capable resolver, DNSSEC ensures you are getting the correct record from the correct server, or a record of non-existence when the record you are looking for does not exist.
Here are some specifics on what DNSEC can and can not do:
DNSSEC provides:
Data origin authentication
Data integrity verification
Authenticated denial of existence
Cache poisoning protection
DNS hijacking protection
DNSSEC does not:
Provide confidentiality
Prevent Dedicated Denial of Service (DDoS) Protection
Stop IP spoofing
One of the main issues for initiating DNSSEC was to stop DNS cache poisoning where false records are inserted into a DNS server database to divert traffic away from the true intended destination.
Here is a link to a very informative Wikipedia page on DNSSEC:
http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
And again, the NIST Secure Domain Name System Deployment Guide is an invaluable resource that includes a very in-depth section on DNSSEC:
http://csrc.nist.gov/publications/nistpubs/800-81r1/sp-800-81r1.pdf
So, that covers some basic DNSSEC background information. Next week, we'll open the hood and start examining how DNSSEC does what it does. Cheers!
No comments:
Post a Comment