DNSSEC
Click on the red underlined text to get to the source
...
The DNS Security Extensions (DNSSEC) are a collection of new resource
records and protocol modifications that add data origin
authentication and data integrity ...
... data integrity to the DNS. This document defines
the DNSSEC protocol modifications. Section 2 of this document
defines the concept of a signed zone and lists the requirements for
...
... describes the behavior of entities that include security-aware
resolver functions. Finally, Section 5 defines how to use DNSSEC RRs
to authenticate a response.
...
...
This document is part of a family of documents defining DNSSEC that
should be read together as a set.
...
...
[RFC4033] contains an introduction to DNSSEC and definitions of
common terms; the reader is assumed to be familiar with this
document. [RFC4033 ...
... to the rules in this section is an unsigned zone.
DNSSEC requires a change to the definition of the CNAME resource
record ([RFC1035 ...
...
DNSSEC introduced two new RR types that are unusual in that they can
appear at the parental side of a zone cut. At the parental side of a
...
... RCODE 5 ("Refused").
DNSSEC does not change the DNS zone transfer protocol. Section 3.1.5
discusses zone transfer requirements ...
... security-aware
authoritative name server returning a referral includes DNSSEC data
along with the NS RRset ...
... query is not set, the name server side
MUST strip any authenticating DNSSEC RRs from the response but MUST
NOT strip any DNSSEC RR ...
... MUST strip any authenticating DNSSEC RRs from the response but MUST
NOT strip any DNSSEC RR types that the initiating query explicitly
...
... Example DNSSEC Responses ...
... signatures that for some reason fail to
validate or due to missing data that the relevant DNSSEC RRs
indicate should be present. This case may indicate an attack but
...
... determine whether the RRset should be signed, as the resolver is
not able to obtain the necessary DNSSEC RRs. This can occur when
the security-aware resolver is not able to contact security-aware ...
... atomic entry containing the entire answer, including the named RRset
and any associated DNSSEC RRs. The resolver SHOULD discard the
entire atomic entry when any of the RRs contained in it expire. In
...
...
A security-aware stub resolver MUST support the DNSSEC RR types, at
least to the extent of not mishandling responses just because they
...
... RR types, at
least to the extent of not mishandling responses just because they
contain DNSSEC RRs.
...
...
A non-validating security-aware stub resolver MAY include the DNSSEC
RRs returned by a security-aware recursive name server as part of the
...
... resolver that seeks to do this will need to set the DO bit in order
to receive DNSSEC RRs from the recursive name server.
...
... security-aware stub resolver MUST set the DO bit,
because otherwise it will not receive the DNSSEC RRs it needs to
perform signature validation ...
... present in the zone.
When a resolver indicates support for DNSSEC (by setting the DO bit),
a security-aware ...
... However, a security-aware resolver may still receive a response that
lacks the appropriate DNSSEC RRs, whether due to configuration issues
such as an upstream security ...
... name server that
accidentally interferes with DNSSEC RRs or due to a deliberate attack
in which an adversary forges a response, strips DNSSEC RRs ...
... DNSSEC RRs or due to a deliberate attack
in which an adversary forges a response, strips DNSSEC RRs from a
response, or modifies a query so that DNSSEC RRs ...
... DNSSEC RRs from a
response, or modifies a query so that DNSSEC RRs appear not to be
requested. The absence of DNSSEC data in a response MUST NOT by
...
... query so that DNSSEC RRs appear not to be
requested. The absence of DNSSEC data in a response MUST NOT by
itself be taken as an indication that no authentication information
...
... RFC4034] contains a review of the IANA considerations introduced by
DNSSEC. The following are additional IANA considerations discussed
in this document:
...
... [RFC2671] introduced EDNS, and [RFC3225] reserved the DNSSEC OK bit
and defined its use. The use is restated but not altered in this
...
... Please see [RFC4033] for terminology and general security
considerations related to DNSSEC; see [RFC4034] for considerations
specific to the DNSSEC ...
... DNS response message can use these bits to defeat the
protection that DNSSEC attempts to provide to security-oblivious
recursive-mode resolvers. For this reason, use of these control bits ...
...
The protocol described in this document attempts to extend the
benefits of DNSSEC to security-oblivious stub resolvers. However, as
recovery from validation ...
... recovery from validation failures is likely to be specific to
particular applications, the facilities that DNSSEC provides for stub
resolvers may prove inadequate. Operators of security-aware
...
... security extension
specifications. Although explicitly listing everyone who has
contributed during the decade in which DNSSEC has been under
development would be impossible, [RFC4033] includes a list of some of
...