DNS
Click on the red underlined text to get to the source
... consist of a set of new resource record types and modifications to
the existing DNS protocol ([RFC1035]). The new records and protocol
modifications are not fully described in this document, but are
...
... DNSSEC.
The DNS security extensions provide origin authentication and
integrity protection for DNS data, as well as a means of public key ...
... The DNS security extensions provide origin authentication and
integrity protection for DNS data, as well as a means of public key
distribution. These extensions do not provide confidentiality ...
... DNSKEY RR whose corresponding
private key signs the desired DNS data. For example, the root
DNSKEY ...
... authentication keys can be authenticated
by some trusted means out of band from the DNS protocol.
Key Signing ...
... security-aware
stub resolver is an entity that sends DNS queries, receives DNS
responses, and is capable of establishing an appropriately secured
channel ...
... stub resolver is an entity that sends DNS queries, receives DNS
responses, and is capable of establishing an appropriately secured
channel to a security-aware ...
... name
server (defined in section 2.4 of [RFC1034]) that understands the
DNS security extensions defined in this document set. In
particular, a security-aware name server ...
... role of a resolver
(defined in section 2.4 of [RFC1034]) that understands the DNS
security extensions defined in this document set. In particular,
a security-aware resolver is an entity ...
... a security-aware resolver is an entity that sends DNS queries,
receives DNS responses, supports the EDNS0 ...
... entity that sends DNS queries,
receives DNS responses, supports the EDNS0 ([RFC2671]) message
size ...
... resolver (defined in section 5.3.1 of [RFC1034]) that has enough
of an understanding the DNS security extensions defined in this
document set to provide additional services not available from a
...
... starting point for building the authentication chain to a signed
DNS response. In general, a validating resolver will have to
obtain the initial values of its trust anchors via some secure or
...
... obtain the initial values of its trust anchors via some secure or
trusted means outside the DNS protocol. Presence of a trust
anchor also implies that the resolver should expect the zone to
which the trust anchor ...
... Services Provided by DNS Security ...
...
The Domain Name System (DNS) security extensions provide origin
authentication and integrity ...
... authentication and integrity assurance services for DNS data,
including mechanisms for authenticated denial of existence of DNS
data ...
... DNS data,
including mechanisms for authenticated denial of existence of DNS
data. These mechanisms are described below.
These mechanisms require changes to the DNS ...
... DNS
data. These mechanisms are described below.
These mechanisms require changes to the DNS protocol. DNSSEC adds
four new resource record ...
... CD) and Authenticated Data (AD). In order to support the larger DNS
message sizes that result from adding the DNSSEC RRs, DNSSEC ...
... authentication by associating cryptographically
generated digital signatures with DNS RRsets. These digital
signatures are stored in a new resource record, the RRSIG ...
... that the key that signs a zone's data is associated with the zone
itself and not with the zone's authoritative name servers. (Public
keys for DNS transaction authentication mechanisms may also appear in
...
... security of DNS data, not channel security of DNS
transactions. The keys associated with transaction ...
... public key either by
having a trust anchor configured into the resolver or by normal DNS
resolution. To allow the latter, public keys are stored in a new
...
... used to sign zone data must be kept secure and should be stored
offline when practical. To discover a public key reliably via DNS
resolution, the target key itself has to be signed by either a
...
... trust anchor is the hash of a key rather than the key
itself, the resolver may have to obtain the key via a DNS query. To
help security-aware resolvers establish this authentication ...
... authentication
chain from the root of the DNS hierarchy down to the leaf zones based
on configured knowledge of the public key for the root ...
... valid" within the meaning of DNSSEC. In the final
analysis, however, authenticating both DNS keys and data is a matter
of local policy, which may extend or even override the protocol
extensions defined in this document set. See Section 5 for further
...
... authenticate a negative reply for either name or type non-existence
with the same mechanisms used to authenticate other DNS replies. Use
of NSEC records requires a canonical ...
... Services Not Provided by DNS Security ...
...
DNS was originally designed with the assumptions that the DNS will
return the same answer to any given query ...
...
DNS was originally designed with the assumptions that the DNS will
return the same answer to any given query regardless of who may have
...
... query regardless of who may have
issued the query, and that all data in the DNS is thus visible.
Accordingly, DNSSEC is not designed to provide confidentiality ...
... cryptographic operations. Please see Section 12 for details.
The DNS security extensions provide data and origin authentication
for DNS data ...
... DNS security extensions provide data and origin authentication
for DNS data. The mechanisms outlined above are not designed to
protect operations such as zone transfers and dynamic update
...
... authentication key, as described above. This
process might require additional queries to intermediate DNS zones to
obtain necessary DNSKEY ...
... name server or by any sort
of intermediary device that acts as a proxy for DNS, and if the
recursive name server or intermediary device is not security-aware ...
... network address translation (NAT) device that
includes a DNS proxy that is not security-aware, the security-aware ...
... resolver may find it difficult or impossible to obtain or validate
signed DNS data. The security-aware resolver may have a particularly
difficult time obtaining DS RRs ...
... DS RRs in such a case, as DS RRs do not
follow the usual DNS rules for ownership of RRs at zone cuts. Note
that this problem is not specific to NATs ...
... that this problem is not specific to NATs: any security-oblivious DNS
software of any kind between the security-aware resolver and the
...
... security aware, the resolver may not be able to
validate DNS responses and will need a local policy on whether to
accept unverified responses.
...
...
Although not strictly required to do so by the protocol, most DNS
queries originate from stub resolvers. Stub resolvers, by
definition, are minimal DNS resolvers that use recursive query ...
... Although not strictly required to do so by the protocol, most DNS
queries originate from stub resolvers. Stub resolvers, by
definition, are minimal DNS resolvers that use recursive query mode
to offload most of the work of DNS ...
... DNS resolvers that use recursive query mode
to offload most of the work of DNS resolution to a recursive name
server. Given the widespread use of stub resolvers, the DNSSEC
...
... validity checks on its own. The second issue requires
some kind of channel security mechanism; proper use of DNS
transaction authentication mechanisms ...
...
Information in a signed zone has a temporal dependency that did not
exist in the original DNS protocol. A signed zone requires regular
maintenance to ensure that each RRset in the zone has a current valid ...
... re-signing any RRset in a zone may also trigger DNS NOTIFY messages
and zone transfer operations.
...
... DNSSEC key pair should be kept
offline, but this will not be possible for a zone for which DNS
dynamic update has been enabled. In the dynamic update ...
... DNS Security Document Family ...
... DNSSEC document set can be partitioned into several main groups,
under the larger umbrella of the DNS base protocol documents.
...
... DNSSEC protocol document set" refers to the three documents that
form the core of the DNS security extensions:
1. DNS Security ...
... RFC4035]
Additionally, any document that would add to or change the core DNS
Security extensions would fall into this category. This includes any
future work on the communication between security-aware stub
...
... Authentication Protocol" document set refers to the
group of documents that deal with DNS message authentication,
including secret key establishment ...
... The final document set, "New Security Uses", refers to documents that
seek to use proposed DNS Security extensions for other security
related purposes. DNSSEC ...
... security for
these new uses but may be used to support them. Documents that fall
in this category include those describing the use of DNS in the
storage and distribution of certificates ([RFC2538 ...
...
This document introduces DNS security extensions and describes the
document set that contains the new security records and DNS ...
... DNS security extensions and describes the
document set that contains the new security records and DNS protocol
modifications. The extensions provide data origin authentication and
...
... In order for a security-aware resolver to validate a DNS response,
all zones along the path from the trusted starting point to the zone
...
... security-aware name server, or for any
DNS data that the resolver is only able to obtain through a recursive
name server that is not security-aware ...
... security-aware resolver cannot validate the affected DNS data.
This document briefly discusses other methods ...
... methods of adding security to a
DNS query, such as using a channel secured by IPsec or using a DNS ...
... DNS query, such as using a channel secured by IPsec or using a DNS
transaction authentication mechanism ...
... denial of service attacks. DNSSEC
makes DNS vulnerable to a new class of denial of service attacks
...
... consume resources in a security-aware name server that supports DNS
dynamic update, by sending a stream ...
... obtain all the names in a zone. Although this is not an attack on
the DNS itself, it could allow an attacker to map network hosts ...
...
DNSSEC introduces significant additional complexity to the DNS and
thus introduces many new opportunities for implementation bugs and
misconfigured zones. In particular, enabling DNSSEC signature ...
... This document was created from the input and ideas of the members of
the DNS Extensions Working Group. Although explicitly listing
everyone who has contributed during the decade in which DNSSEC ...
... Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for DNS Security Extensions", RFC 4034prop, March 2005. ...
... Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035prop, March 2005. ...
... Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic Updates in the Domain Name System (DNS UPDATE)", RFC 2136prop, April 1997. ...
... Eastlake 3rd, D. and O. Gudmundsson, "Storing Certificates in the Domain Name System (DNS)", RFC 2538prop(-> 4398prop), March 1999. ...
... Wellington, B., "Secure Domain Name System (DNS) Dynamic Update", RFC 3007prop, November 2000. ...
... Lewis, E., "DNS Security Extension Clarification on Zone Status", RFC 3090(-> 4035prop | 4034prop | 4033prop), March 2001. ...
... Gustafsson, A., "Handling of Unknown DNS Resource Record (RR) Types", RFC 3597prop, September 2003. ...
... Atkins, D. and R. Austein, "Threat Analysis of the Domain Name System (DNS)", RFC 3833, August 2004. ...