DNSSEC

DNSSEC , standardized in the RFC 4033 and the following (a previous version of DNSSEC did not have any success), makes it possible to solve some security issues DNS.

DNSSEC make it possible to make safe the given sent by the DNS. Contrary to other protocols like SSL, it does not make safe just a channel of communication but it protects the data, recordings DNS, from beginning to end. Thus, it is effective even when an intermediate waiter betrays.

DNSSEC signs cryptographiquement recordings DNS and puts this signature in the DNS. Thus, a being wary customer DNS can thus recover the signature and, if it has the key of the waiter, check that the data are correct. The key can be recovered via the DNS itself (what poses a problem of egg and hen) or by another means (diffused via the Web and signed with PGP for example).

DNSSEC makes it possible to delegate signatures: thus, the register of a TLD can announce that such under-field is signed. One can thus build a chain of confidence since the root of the DNS. For the moment, political problems (which with legitimacy to sign the root?) prevent this deployment.

DNSSEC introduces also its own problems, for example, the fact that a special recording indicates the next field of the zone makes it possible to enumerate the complete contents of a signed zone, even if the transfer of zone is not allowed.

Today, the register Swedish and RIPE-NCC (for the field in-addr.arpa) sign their recordings with DNSSEC.

External bonds

Official presentation of DNSSEC
DNSSEC for " .se"
DNSSEC with the RIPE-NCC

Random links: