What the Heck is DNSSEC?
Feb 02, 2011, 00:04 (0 Talkback[s])
(Other stories by Diana Kelley)
"How DNSSEC Can Help
"The core issues underlying DNS insecurity are lack of trust
(including mutual authentication), integrity, and availability.
Trust relates to whether or not the information received is coming
from a trusted/reliable source or not. Integrity speaks to
maintaining the validity of the data where it is stored and when it
is updated, as well as tamper-proofing during transmission of a
query response. Availability includes whether or not the service is
able to respond – if a DNS server can't answer the query, the
machine's numerical address can't be mapped and a DoS occurs.
"One proposed solution to some of the security issues with DNS
is a series of IETF specifications known as the DNS Security
Extensions (DNSSEC), currently IETF RFC 2535). This was first
introduced in November 1993 "at the 28th IETF meeting in Houston."
The core strategy was to use digital signatures to provide data
integrity and data origin authentication for DNS queries, but it
did not include mutual authentication for changes to DNS records or
controls to mitigate availability issues. IETF RFC 3833, "Threat
Analysis of the Domain Name System (DNS)" provides a comprehensive
overview of the specific vulnerabilities and exposures in DNS that
DNSSEC attempts to mitigate."