DNSSEC - The DNS Security Extensions

Internet Systems Consortium (ISC) is excited to announce a new DNSSEC Training.

The ISC DNSSEC Technical Workshop covers DNSSEC Implementation and Deployment.

Complete international training schedule is available here. On-site trainings are also possible.

What is DNSSEC?

The Root DNSSEC Design Team is pleased to report that the first fully validatable production signed root zone, with SOA serial number 2010071501, was published and began rolling out to the root servers at 2050 UTC.

The Root Trust Anchor can be found at the IANA DNSSEC website.

Here is a first press release from ISC, which operates the F-Root DNS Servers.

Press release from ICANN, which has a 'coordination' role of the Internet's naming system.

Press release from VeriSign, which operates two of the DNS Root Servers (A+J).

Press release from US Department of Commerce, which is principally responsible for advising the US President on communications and information policies.

The Whitehouse, Office of Science and Technology Policy, also writes about the DNSSEC Signed Root Zone.

DNSSEC (short for DNS Security Extensions) adds security to the Domain Name System.

DNSSEC was designed to protect the Internet from certain attacks, such as DNS cache poisoning [0]. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence.

These mechanisms require changes to the DNS protocol. DNSSEC adds four new resource record types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS), and Next Secure (NSEC). These new RRs are described in detail in RFC 4034.

It also adds two new DNS header flags: Checking Disabled (CD) and Authenticated Data (AD). In order to support the larger DNS message sizes that result from adding the DNSSEC RRs, DNSSEC also requires EDNS0 support (RFC 2671).

Finally, DNSSEC requires support for the DNSSEC OK (DO) EDNS header bit (RFC 3225) so that a security-aware resolver can indicate in its queries that it wishes to receive DNSSEC RRs in response messages. By checking the signature, a DNS resolver is able to check if the information is identical (correct and complete) to the info on the authoritative DNS server.

DNSSEC services protect against most of the threats to the Domain Name System. There are several distinct classes of threats to the Domain Name System, most of which are DNS-related instances of more general problems, but a few of which are specific to peculiarities of the DNS protocol.

Note that DNSSEC does not provide confidentiality of data. Also, DNSSEC does not protect against DDoS Attacks.

------
[0] A comprehensive Threat Analysis of the Domain Name System can be found in RFC 3833. This RFC attempts to describe some of the known threats to the DNS, and --in doing so-- attempts to measure to what extent DNSSEC is a useful tool in defending against these threats.

More information (research, publications, links) about DNS Weaknesses can be found in the DNS Threats section.

DNS Security Extensions

This website is your independent starting point for all DNSSEC and Secure DNS related information. You will find all major DNSSEC presentations, DNSSEC publications and DNSSEC research documents.

The core of the DNSSEC specification is described in the following 3 RFCs, published March 2005:

RFC 4033 - DNS Security Introduction and Requirements

RFC 4034 - Resource Records for the DNS Security Extensions

RFC 4035 - Protocol Modifications for the DNS Security Extensions

RFC 5155 (March 2008) introduces an alternative resource record, NSEC3, which provides additional measures against zone enumeration and permits gradual expansion of delegation-centric zones.

RFC 5155 - DNS Security (DNSSEC) Hashed Authenticated Denial of Existence

Related RFCs, such as RFC 5910, describe how to map DNSSEC for the Extensible Provisioning Protocol (EPP). RFC 4641 describes DNSSEC Operational Practices.

RFC 5910 - Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)

RFC 4641 - DNSSEC Operational Practices

DNSSEC Key Management, including Key Rollover, is done using specialized DNSSEC software, which can be standalone tools or add-ons to your existing DNS software. All major DNS software will have full or partial DNSSEC functionality built-in within the next years.

To make deployment of DNSSEC easier, one can also buy a dedicated "DNSSEC Appliance", which acts as an automated DNS signer for DNS zones. Several vendors are already offering commercial and non-commercial solutions for signing DNS in real time, some of them using external cryptographic hardware such as HSM (Hardware Security Modules), including USB tokens and smart cards.

General background info on the Domain Name System (DNS) and its workings is available on our companion website Bind9.net - in the DNS Links and DNS RFCs sections in particular.

Related Reading

Essential Reading

DNSSEC Deployment at the DNS Root Zone: Requirements, Policies, and Status Updates
ICANN & Verisign, Dec 2009

Secure Domain Name System (DNS) Deployment Guide
NIST Special Publication 800-81, Apr 2010

Hardening the Internet: The Impact and Importance of DNSSEC
SURFnet, Paul Brand, Rick van Rein, Roland van Rijswijk, David Yoshikawa, 2009

7 Things You Should Know About DNSSEC
EDUCAUSE, Jan 2010

DNSSEC in 6 Minutes
Alan Clegg, Internet
Systems Consortium,
Jun 2008

The Signed Root Is Coming! (And what this means for you)
Peter Loscher, Internet
Systems Consortium,
Jan 2010

Are you ready for DNSSEC? And what to ask your vendors
Michael Graff, Internet
Systems Consortium,
May 2010

DNSSEC Howto 2009
Olaf Kolkman,
NLnet Labs / RIPE NCC, Jun 2009

DNSSEC Training Course
Olaf Kolkman, RIPE NCC,
Q3/2004

DNSSEC Deployment at the RIPE NCC
(part of the reverse DNS restructuring project)
RIPE NCC, Jul 2005

DNSSEC Key Management Tools released
Olaf Kolkman,
RIPE NCC, Apr 2005