DNSSEC - The DNS Security Extensions (original) (raw)
The Root DNSSEC Design Team is pleased to report that the first fully validatable production signed root zone, with SOA serial number 2010071501, was published and began rolling out to the root servers at 2050 UTC.The Root Trust Anchor can be found at the IANA DNSSEC website.Here is a first press release from ISC, which operates the F-Root DNS Servers.Press release from ICANN, which has a 'coordination' role of the Internet's naming system.Press release from VeriSign, which operates two of the DNS Root Servers (A+J).Press release from US Department of Commerce, which is principally responsible for advising the US President on communications and information policies.The Whitehouse, Office of Science and Technology Policy, also writes about the DNSSEC Signed Root Zone. DNSSEC (short for DNS Security Extensions) adds security to the Domain Name System. DNSSEC was designed to protect the Internet from certain attacks, such as DNS cache poisoning [0]. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence. These mechanisms require changes to the DNS protocol. DNSSEC adds four new resource record types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS), and Next Secure (NSEC). These new RRs are described in detail in RFC 4034. It also adds two new DNS header flags: Checking Disabled (CD) and Authenticated Data (AD). In order to support the larger DNS message sizes that result from adding the DNSSEC RRs, DNSSEC also requires EDNS0 support (RFC 2671). Finally, DNSSEC requires support for the DNSSEC OK (DO) EDNS header bit (RFC 3225) so that a security-aware resolver can indicate in its queries that it wishes to receive DNSSEC RRs in response messages. By checking the signature, a DNS resolver is able to check if the information is identical (correct and complete) to the info on the authoritative DNS server. DNSSEC services protect against most of the threats to the Domain Name System. There are several distinct classes of threats to the Domain Name System, most of which are DNS-related instances of more general problems, but a few of which are specific to peculiarities of the DNS protocol. Note that DNSSECdoes not provide confidentiality of data. Also, DNSSEC does not protect against DDoS Attacks. ------[0] A comprehensive Threat Analysis of the Domain Name System can be found in RFC 3833. This RFC attempts to describe some of the known threats to the DNS, and --in doing so-- attempts to measure to what extent DNSSEC is a useful tool in defending against these threats. More information (research, publications, links) about DNS Weaknesses can be found in the DNS Threats section.
Related Reading
DNSSEC Papers, Articles
Essential Reading 
DNSSEC Deployment at the DNS Root Zone: Requirements, Policies, and Status Updates ICANN & Verisign, Dec 2009 
Secure Domain Name System (DNS) Deployment Guide NIST Special Publication 800-81, Apr 2010 
Hardening the Internet: The Impact and Importance of DNSSEC SURFnet, Paul Brand, Rick van Rein, Roland van Rijswijk, David Yoshikawa, 2009 
7 Things You Should Know About DNSSEC EDUCAUSE, Jan 2010 
DNSSEC in 6 Minutes Alan Clegg, InternetSystems Consortium,Jun 2008 
DNSSEC Howto 2009 Olaf Kolkman,NLnet Labs / RIPE NCC, Jun 2009DNSSEC Training Course Olaf Kolkman, RIPE NCC,Q3/2004 
Good Practices Guide for Deploying DNSSEC ENISA, Mar 2010 
DNSSEC Deployment Programme Website ISOC Deploy360DNSSEC Part 1 The Theory Geoff Huston, ISOC, Aug 2006DNSSEC Part 2 The Practice Geoff Huston, ISOC, Sep 2006DNSSEC Part 3 The Opinion Geoff Huston, ISOC, Oct 2006 
DNSSEC Training Material NLnet Labs, Oct 2008