Abstract
When a name server receives the response to a query for, say, the A record of a web site, for instance, www.example.com, it can only hope that the data is correct. It has no way of proving that this is the case. In fact, it could have been duped or spoofed in a variety of ways, such as the query response may have been supplied from a poisoned zone file, or the query may have been intercepted and bad data substituted in the response. Another possibility is the query may have been redirected by a poisoned resolver cache to a bogus server for the domain in question, or the response could be perfectly valid, containing good data from the correct source. In a situation where revenues, reputation, or security (commercial or national) are at stake, such uncertainty may be unacceptable. DNSSEC, originally defined in RFC 2535, was designed to eliminate the doubt involved in DNS query operations by providing verifiable certainty to suitably configured name servers. Significant efforts were expended over many years by multiple organizations, notably ISC (www.isc.org), Nlnetlabs (www.nlnetlabs.nl), some of the root-server operators (www.root-servers.org), and regional Internet registries (www.nro.net), to build and test secure DNS systems such that they can be scaled and deployed in operational environments. This Herculean effort led to what became known colloquially as DNSSEC.bis, but is now simply known as DNSSEC (defined by RFCs 4033, 4034, and 4035 and augmented by 4470, 4509, 5011, and 5155) and constitutes a substantial enhancement to the original specifications.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Rights and permissions
Copyright information
© 2011 Ron Aitchison
About this chapter
Cite this chapter
Aitchison, R. (2011). DNSSEC. In: Pro DNS and BIND 10. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4302-3049-6_11
Download citation
DOI: https://doi.org/10.1007/978-1-4302-3049-6_11
Publisher Name: Apress, Berkeley, CA
Print ISBN: 978-1-4302-3048-9
Online ISBN: 978-1-4302-3049-6
eBook Packages: Professional and Applied ComputingProfessional and Applied Computing (R0)Apress Access Books