Jump to content

Domain Name System Security Extensions: Difference between revisions

From ICANNWiki
No edit summary
touch up
Line 1: Line 1:
The '''Domain Name System Security Extensions''' is a set of [[DNS]] extensions which enables communication authentication between hosts and DNS data, while ensuring data integrity. The DNSSEC is used for securing specific information provided by [[DNS]].
The '''Domain Name System Security Extensions''' is a set of [[DNS]] extensions which enables communication authentication between hosts and DNS data, while ensuring data integrity. DNSSEC is used for securing specific information provided by [[DNS]].


==Short Overview==
DNSSEC is generally referred to as DNS Security Extensions. Its main goal is to protect against [[Data Spoofing|data spoofing]] and corruption.  Initially, it was called only [[DNS]] (Domain Name System) and did not include security extensions. The main DNSSEC extensions are specified by RFC4033, RFC4034, and RFC4035. There are also some additional [[RFC]]s which provide supporting information.


==Short Overview==
Apart from the new DNS server and client concepts, DNSSEC introduces to DNS the following 4 new resource records: [[DNSKEY]], [[RRSIG]], [[NSEC]] and [[DS]].
The DNSSEC is generally referred to as DNS Security Extensions. Its main goal is to protect against data spoofing and corruption. At first, it was called only [[DNS]](Domain Name System) and did not include security extensions. The main DNSSEC extensions are specified by RFC4033, RFC4034, and RFC4035. There are also some additional RFCs which provide supporting information.
Apart from the new DNS server and client concepts,DNSSEC introduces to DNS the following 4 new resource records: DNSKEY, RRSIG, NSEC and DS. In order to deploy DNSSEC on Windows Server® 2008 R2 or Windows® 7 operating systems there are various guides to follow. Windows Server® 2008 R2 and Windows® 7 operating systems.


==How it works==
==How it works==
The DNS was initially developed to without any security extensions, thus increasing the chances for forget over the Internet and allowing the spoofing of IP Addresses with the purpose of redirecting traffic to undesired websites. This is how DNSSEC appeared: as a need for adding protection and security to DNS so that the redirected traffic could be checked and directed towards the right server.  
The DNS was initially developed to without any security extensions, thus increasing the chances to get out of synch and allow the spoofing of [[IP Addresses]] with the purpose of redirecting traffic to undesired websites. This is how DNSSEC appeared: as a need for adding protection and security to DNS so that the redirected traffic could be checked and directed towards the correct server.  


The DNS ensures the correlation between the web address with IP Address and route traffic, but the DNSSEC ensures accuracy of the lookup date by adding a digital signature. In this way, the computer is connected to legitimate servers.  
The DNS ensures the correlation between the web address with [[IP Address]] and route traffic, but the DNSSEC ensures accuracy of the lookup date by adding a digital signature. In this way, the computer is connected to legitimate servers. If the DNSSEC authentication does not work (case in which the encryption keys are not matches), due to the backwards-compatible system, the transaction will follow the DNS protocols.
If the DNSSEC authentication does not work (case in which the encryption keys are not matches), due to the backwards-compatible system, the transaction will follow the DNS protocols.


==Objectives==
==Objectives==
The core objectives of DNSSEC are:  
The core objectives of DNSSEC are:
 
* Origin authority
* Origin authority
* Data integrity
* Data integrity
* Authenticated denial of existence
* Authenticated denial of existence
The DNSSEC mechanism of authentication of communication between hosts fulfilled by means of TSIG. More specifically, the TSIG is used to securely authenticate the transactions between the name servers and the resolver. The DNSSEC mechanism of establishing authenticity and data integrity is achieved by means of: new RRs, singning a single zone,building a trust chain and by means of key rollers or key exchange.  
 
The DNSSEC mechanism of authentication of communication between hosts is fulfilled by means of [[TSIG]]. More specifically, the TSIG is used to securely authenticate the transactions between the name servers and the resolver. The DNSSEC mechanism of establishing authenticity and data integrity is achieved by means of: new RRs, singning a single zone, building a trust chain and by means of [[key rollers]] or [[key exchange]].  


==DNSSEC Difficulties==
==DNSSEC Difficulties==
It is critically important to secure the DNS for ensuring overall Internet protection, but when it comes to the deployment of DNSSEC the following difficulties are encountered:
It is critically important to secure the DNS for ensuring overall Internet protection, but when it comes to the deployment of DNSSEC the following difficulties are encountered:
# A lot of work over the Internet in order to create a well developed backward-compatible system and standards
 
#Logistical problems as a result of the addition of encryption keys to all Internet lookups: requires solution for updating the encryption keys without damaging the name servers.  
# Developing backward-compatible system and standards
#International conflicts which arose from the implementation of DNSSEC, renewing the debates related to "control over the Internet".  
# Logistical problems as a result of the addition of encryption keys to all Internet lookups: requires solution for updating the encryption keys without damaging the name servers.  
#Conflicts among implementers related to ownership issues of the root encryption keys
# International conflicts which arise from the implementation of DNSSEC, renewing the debates related to "control over the Internet".  
# Conflicts among implementers related to ownership issues of the root encryption keys


==DNSSEC Standards==
==DNSSEC Standards==

Revision as of 22:05, 3 February 2011

The Domain Name System Security Extensions is a set of DNS extensions which enables communication authentication between hosts and DNS data, while ensuring data integrity. DNSSEC is used for securing specific information provided by DNS.

Short Overview[edit | edit source]

DNSSEC is generally referred to as DNS Security Extensions. Its main goal is to protect against data spoofing and corruption. Initially, it was called only DNS (Domain Name System) and did not include security extensions. The main DNSSEC extensions are specified by RFC4033, RFC4034, and RFC4035. There are also some additional RFCs which provide supporting information.

Apart from the new DNS server and client concepts, DNSSEC introduces to DNS the following 4 new resource records: DNSKEY, RRSIG, NSEC and DS.

How it works[edit | edit source]

The DNS was initially developed to without any security extensions, thus increasing the chances to get out of synch and allow the spoofing of IP Addresses with the purpose of redirecting traffic to undesired websites. This is how DNSSEC appeared: as a need for adding protection and security to DNS so that the redirected traffic could be checked and directed towards the correct server.

The DNS ensures the correlation between the web address with IP Address and route traffic, but the DNSSEC ensures accuracy of the lookup date by adding a digital signature. In this way, the computer is connected to legitimate servers. If the DNSSEC authentication does not work (case in which the encryption keys are not matches), due to the backwards-compatible system, the transaction will follow the DNS protocols.

Objectives[edit | edit source]

The core objectives of DNSSEC are:

  • Origin authority
  • Data integrity
  • Authenticated denial of existence

The DNSSEC mechanism of authentication of communication between hosts is fulfilled by means of TSIG. More specifically, the TSIG is used to securely authenticate the transactions between the name servers and the resolver. The DNSSEC mechanism of establishing authenticity and data integrity is achieved by means of: new RRs, singning a single zone, building a trust chain and by means of key rollers or key exchange.

DNSSEC Difficulties[edit | edit source]

It is critically important to secure the DNS for ensuring overall Internet protection, but when it comes to the deployment of DNSSEC the following difficulties are encountered:

  1. Developing backward-compatible system and standards
  2. Logistical problems as a result of the addition of encryption keys to all Internet lookups: requires solution for updating the encryption keys without damaging the name servers.
  3. International conflicts which arise from the implementation of DNSSEC, renewing the debates related to "control over the Internet".
  4. Conflicts among implementers related to ownership issues of the root encryption keys

DNSSEC Standards[edit | edit source]

  • RFC 2181 Clarifications to the DNS Specification
  • RFC 2535 Domain Name System Security Extensions
  • RFC 2671 Extension Mechanisms for DNS
  • RFC 3833 A Threat Analysis of the Domain Name System
  • RFC 3757 Domain Name System KEY (DNSKEY) Resource Record (RR)
  • RFC 4033 DNS Security Introduction and Requirements (DNSSEC-bis)
  • RFC 4034 Resource Records for the DNS Security Extensions (DNSSEC-bis)
  • RFC 4035 Protocol Modifications for the DNS Security Extensions (DNSSEC-bis)
  • RFC 4398 Storing Certificates in the Domain Name System (DNS)
  • RFC 4470 Minimally Covering NSEC Records and DNSSEC On-line Signing
  • RFC 4641 DNSSEC Operational Practices
  • RFC 5155 DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
  • RFC 4509 Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
  • RFC 4641 DNSSEC Operational Practices
  • RFC 5155 DNSSEC Hashed Authenticated Denial of Existence