DNSSEC
Click on the red underlined text to get to the source
... This document introduces the Domain Name System Security Extensions
(DNSSEC). This document and its two companion documents ([RFC4034]
and [RFC4035 ...
... Definitions of Important DNSSEC Terms ...
... authentication key as a key signing key
is purely an operational issue: DNSSEC validation does not
distinguish between key signing keys and other DNSSEC ...
... DNSSEC validation does not
distinguish between key signing keys and other DNSSEC
authentication keys, and it is possible to use a single key as
...
... Security-aware stub resolvers
may be either "validating" or "non-validating", depending on
whether the stub resolver attempts to verify DNSSEC signatures on
its own or trusts a friendly security-aware name server ...
... authentication key as a zone signing key
is purely an operational issue; DNSSEC validation does not
distinguish between zone signing keys and other DNSSEC ...
... DNSSEC validation does not
distinguish between zone signing keys and other DNSSEC
authentication keys, and it is possible to use a single key as
...
...
These mechanisms require changes to the DNS protocol. DNSSEC adds
four new resource record types: Resource Record ...
... AD). In order to support the larger DNS
message sizes that result from adding the DNSSEC RRs, DNSSEC also
requires EDNS0 ...
... DNS
message sizes that result from adding the DNSSEC RRs, DNSSEC also
requires EDNS0 support ([RFC2671 ...
... RFC2671]). Finally, DNSSEC requires support
for the DNSSEC OK (DO) EDNS header bit ([RFC3225 ...
... security-aware resolver can indicate in its queries that it wishes to
receive DNSSEC RRs in response messages.
These services ...
...
DNSSEC provides authentication by associating cryptographically
generated digital signatures ...
... authenticate that zone's signed data. An important DNSSEC concept is
that the key that signs a zone's data is associated with the zone
itself and not with the zone's authoritative name servers. (Public
keys ...
... authentication mechanisms may also appear in
zones, as described in [RFC2931], but DNSSEC itself is concerned with
object security of DNS data ...
... DS->DNSKEY subchains. DNSSEC permits more complex authentication
chains, such as additional layers of DNSKEY RRs ...
... public keys are properly
signed with verifiable signatures. DNSSEC provides mechanisms by
which a security-aware resolver can determine whether an RRset ...
... signature is "valid" within the meaning of DNSSEC. In the final
analysis, however, authenticating both DNS keys and data is a matter
...
... query, and that all data in the DNS is thus visible.
Accordingly, DNSSEC is not designed to provide confidentiality,
access control lists ...
... Scope of the DNSSEC Document Set and Last Hop Issues ...
... software of any kind between the security-aware resolver and the
authoritative name servers will interfere with DNSSEC.
If a security-aware ...
... security-aware recursive
name server will have to pay careful attention to the DNSSEC
"checking disabled" (CD ...
... to offload most of the work of DNS resolution to a recursive name
server. Given the widespread use of stub resolvers, the DNSSEC
architecture ...
...
Even a security-oblivious stub resolver may benefit from DNSSEC if
the recursive name servers it uses are security-aware, but for the
...
... the recursive name servers it uses are security-aware, but for the
stub resolver to place any real reliance on DNSSEC services, the stub
resolver must trust ...
... security-oblivious stub resolver has no choice but to place itself at
the mercy of the recursive name servers that it uses, as it does not
perform DNSSEC validity checks on its own. The second issue requires
some kind of channel security ...
... bit in its query messages. A validating stub resolver is thus
able to treat the DNSSEC signatures as trust relationships between
the zone administrators ...
... RRSIG RR covering
that RRset. DNSSEC does not change the definition or function of the
TTL value, which is intended to maintain database ...
... header, subject to message
size limitations. Because inclusion of these DNSSEC RRs could easily
cause UDP message truncation and fallback to TCP ...
... mechanism.
If possible, the private half of each DNSSEC key pair should be kept
offline, but this will not be possible for a zone for which DNS ...
... zone signing key(s).
By itself, DNSSEC is not enough to protect the integrity of an entire
zone during zone transfer operations, as even a signed zone contains
...
...
The DNSSEC document set can be partitioned into several main groups,
under the larger umbrella of the DNS ...
... base protocol documents.
The "DNSSEC protocol document set" refers to the three documents that
form the core of the DNS security extensions ...
... group of documents that describe how specific digital
signature algorithms should be implemented to fit the DNSSEC resource
record format. Each document in this set deals with a specific
digital signature ...
... digital signature algorithm. Please see the appendix on "DNSSEC
Algorithm and Digest Types" in [RFC4034] for a list of the algorithms ...
... verification. Although not
strictly part of the DNSSEC specification as defined in this set of
documents, this group is noted because of its relationship to DNSSEC ...
... DNSSEC specification as defined in this set of
documents, this group is noted because of its relationship to DNSSEC.
The final document set, "New Security ...
... DNS Security extensions for other security
related purposes. DNSSEC does not provide any direct security for
these new uses but may be used to support them. Documents that fall
...
... A non-validating security-aware stub resolver, by definition, does
not perform DNSSEC signature validation on its own and thus is
vulnerable both to attacks ...
... security-aware stub resolver.
DNSSEC does not protect against denial of service attacks. DNSSEC
...
... DNSSEC does not protect against denial of service attacks. DNSSEC
makes DNS vulnerable to a new class ...
... security-aware name servers, as an attacker can attempt to use
DNSSEC mechanisms to consume a victim's resources. This class of
attacks ...
... frequently than would otherwise be necessary.
Due to a deliberate design choice, DNSSEC does not provide
confidentiality.
...
... confidentiality.
DNSSEC introduces the ability for a hostile party to enumerate all
the names in a zone by following the NSEC chain. NSEC RRs ...
... other resources by enumerating the contents of a zone.
DNSSEC introduces significant additional complexity to the DNS and
thus introduces many new opportunities for implementation bugs and
...
... DNS and
thus introduces many new opportunities for implementation bugs and
misconfigured zones. In particular, enabling DNSSEC signature
validation in a resolver may cause entire legitimate zones to become
...
... validation in a resolver may cause entire legitimate zones to become
effectively unreachable due to DNSSEC configuration errors or bugs.
DNSSEC ...
... DNSSEC configuration errors or bugs.
DNSSEC does not protect against tampering with unsigned zone data.
Non-authoritative data at zone cuts (glue and NS RRs ...
... authentication chain, but it does mean that the non-authoritative
data itself is vulnerable to tampering during zone transfer
operations. Thus, while DNSSEC can provide data origin
authentication and data integrity for RRsets, it cannot do so for
...
... DNS Extensions Working Group. Although explicitly listing
everyone who has contributed during the decade in which DNSSEC has
been under development would be impossible, the editors would
particularly like to thank the following people for their
...
... Wellington, B., "Domain Name System Security (DNSSEC) Signing Authority", RFC 3008(-> 4035prop | 4034prop | 4033prop) ...
... Schlyter, J., "DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format", RFC 3845(-> 4035prop | 4034prop | 4033prop) ...