The Root DNSSEC Design Team is pleased to report that the first fully
validatable production signed root zone, with SOA serial number 2010071501,
was published and began rolling out to the root servers at 2050 UTC.
The Root Trust Anchor can be found at the IANA DNSSEC
website.
Here is a first press release from ISC, which operates the F-Root DNS
Servers.
Press release from ICANN, which has a 'coordination' role of the
Internet's naming system.
Press release from VeriSign, which operates two of the DNS Root
Servers (A+J).
Press release from US Department of Commerce, which is principally
responsible for advising the US President on communications and information
policies.
The Whitehouse, Office of Science and Technology Policy, also
writes about the DNSSEC Signed Root Zone.
DNSSEC (short for DNS Security Extensions) adds security
to the Domain Name System.
DNSSEC was designed to protect the Internet
from certain attacks, such as DNS cache poisoning [0]. It is a set of extensions to DNS, which
provide: a) origin authentication of DNS data, b) data integrity, and c)
authenticated denial of existence.
These mechanisms require changes to the DNS protocol. DNSSEC adds four
new resource record types: Resource Record Signature (RRSIG), DNS Public
Key (DNSKEY), Delegation Signer (DS), and Next Secure (NSEC). These new
RRs are described in detail in RFC 4034.
It also adds two new DNS
header flags: Checking Disabled (CD) and Authenticated Data (AD). In
order to support the larger DNS message sizes that result from adding
the DNSSEC RRs, DNSSEC also requires EDNS0 support (RFC 2671).
Finally, DNSSEC requires support for the DNSSEC OK (DO) EDNS header bit
(RFC 3225) so that a security-aware resolver can
indicate in its queries that it wishes to receive DNSSEC RRs in response
messages. By checking the signature, a DNS resolver is able to check if
the information is identical (correct and complete) to the info on the
authoritative DNS server.
DNSSEC services protect against most of the threats to the Domain Name
System. There are several distinct classes of threats to the Domain Name System,
most of which are DNS-related instances of more general problems, but a
few of which are specific to peculiarities of the DNS protocol.
Note that DNSSEC does not provide confidentiality of data.
Also, DNSSEC does not protect against
DDoS Attacks.
------
[0] A comprehensive Threat Analysis of
the Domain Name System can be found in RFC 3833. This RFC attempts to describe some of the
known threats to the DNS, and --in doing so-- attempts to measure to
what extent DNSSEC is a useful tool in defending against these
threats.
More information (research, publications, links) about DNS Weaknesses
can be found in the DNS Threats section.
|
This website is your independent starting point for all DNSSEC
and Secure DNS related information. You will find all major DNSSEC presentations, DNSSEC publications and DNSSEC research
documents.
The core of the DNSSEC specification is described in the following 3
RFCs, published March 2005:
RFC 4033 - DNS Security Introduction and Requirements
RFC 4034 - Resource Records for the DNS Security Extensions
RFC 4035 - Protocol Modifications for the DNS Security Extensions
RFC 5155 (March 2008) introduces an alternative resource record, NSEC3, which provides additional measures against zone enumeration and permits gradual expansion of delegation-centric zones.
RFC 5155 - DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
Related RFCs, such as RFC 5910, describe how to map DNSSEC for the
Extensible Provisioning Protocol (EPP). RFC 4641 describes DNSSEC Operational
Practices.
RFC 5910 - Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)
RFC 4641 - DNSSEC Operational Practices
DNSSEC Key Management, including Key Rollover, is done using specialized
DNSSEC software, which can be standalone tools or add-ons to your
existing DNS software. All major DNS software will have full or partial
DNSSEC functionality built-in within the next years.
To make deployment of DNSSEC easier, one can also buy a dedicated
"DNSSEC Appliance", which acts as an automated DNS signer for DNS zones.
Several vendors are already offering commercial and non-commercial
solutions for signing DNS in real time, some of them using external
cryptographic hardware such as HSM (Hardware Security Modules),
including USB tokens and smart cards.
General background info on the Domain Name System (DNS) and its
workings is available on our companion website Bind9.net - in the DNS Links and DNS RFCs sections in
particular.
Related Reading DNSSEC Papers, Articles DNSSEC Presentations DNSSEC Tools DNSSEC Threats and Weaknesses DNS Links & Whitepapers BIND Howtos and Articles Domain Registration & EPP Resources
|
Essential Reading
DNSSEC Deployment at the DNS Root Zone: Requirements, Policies, and Status Updates
ICANN & Verisign, Dec 2009
Secure Domain Name System (DNS) Deployment Guide
NIST Special Publication 800-81, Apr 2010
Hardening the Internet: The Impact and Importance of DNSSEC
SURFnet, Paul Brand, Rick van Rein, Roland van Rijswijk, David Yoshikawa, 2009
7 Things You Should Know About DNSSEC
EDUCAUSE, Jan 2010
DNSSEC in 6 Minutes
Alan Clegg, Internet Systems Consortium, Jun 2008
The Signed Root Is Coming! (And what this means for you)
Peter Loscher, Internet Systems Consortium, Jan 2010
Are you ready for DNSSEC? And what to ask your vendors
Michael Graff, Internet Systems Consortium, May 2010
DNSSEC Howto 2009
Olaf Kolkman, NLnet Labs / RIPE NCC, Jun 2009
DNSSEC Training Course
Olaf Kolkman, RIPE NCC, Q3/2004
DNSSEC Deployment at the RIPE NCC
(part of the reverse DNS restructuring project) RIPE NCC, Jul 2005
DNSSEC Key Management Tools released
Olaf Kolkman, RIPE NCC, Apr 2005
Good Practices Guide for Deploying DNSSEC
ENISA, Mar 2010
Study on the Costs of DNSSEC Deployment
ENISA, Nov 2009
Resilience Features in Communication Networks: IPv6, DNSSEC and MPLS
ENISA, Jan 2009
Stock Taking Report on the Technologies Enhancing Resilience of Public Communication Networks in the EU Member States
ENISA, May 2009
DNSSEC Deployment Programme Website
ISOC Deploy360
DNSSEC Part 1 The Theory
Geoff Huston, ISOC, Aug 2006
DNSSEC Part 2 The Practice
Geoff Huston, ISOC, Sep 2006
DNSSEC Part 3 The Opinion
Geoff Huston, ISOC, Oct 2006
DNSSEC Training Material
NLnet Labs, Oct 2008
DNSSEC: The Protocol, Deployment, and a Bit of Development
Miek Gieben in Cisco IPJ Magazine, Jun 2004
|