The Domain Name System Security Extensions (DNSSEC) are a suite of IETF specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers):
- Origin authentication of DNS data.
- Data integrity.
- Authenticated denial of existence.
It is widely believed that deploying DNSSEC is critically important for securing the Internet as a whole, but deployment has been hampered by the difficulty of:
- Devising a backward-compatible standard that can scale to the size of the Internet.
- Deploying DNSSEC implementations across a wide variety of DNS servers and resolvers (clients).
- Squabbling among key players, none of whom agree on who should own the .com (etc) root keys
IP-based networks, including the Internet, route information between computers based on their IP address, a multi-byte number (4 bytes in IP version 4, 16 bytes in IP version 6). Directly using these numbers would cause many problems, so DNS is a critical service of such networks. DNS accepts a domain name (such as www.wikipedia.org) and responds with information about that name, such as its matching IP address. DNS can also perform reverse look-ups (given an IP address, return the corresponding name). DNS is implemented as a distributed system, for scalability. (For more information, see Domain Name System.) Unfortunately, DNS was not designed to be secure.
There are several distinct classes of threats to the DNS, most of which are DNS-related instances of more general problems, but a few of which are specific to peculiarities of the DNS protocol. A Request for Comments document, RFC 3833, attempts to document some of the known threats to the DNS, and, in doing so, attempts to measure to what extent DNSSEC is a useful tool in defending against these threats.
DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. While protecting IP addresses are the immediate concern for many users, DNSSEC can protect other information such as general-purpose cryptographic certificates stored in DNS. RFC 4398 describes how to distribute certificates via DNS, including those for email, making it possible to use DNSSEC as a world-wide public key infrastructure for email.
DNSSEC does not provide confidentiality of data, in particular, all DNSSEC responses are authenticated but not encrypted. DNSSEC does not protect against DoS attacks directly, though it indirectly provides some benefit (because signature checking allows the use of potentially untrustworthy parties). Other standards (not DNSSEC) are used to secure bulk data (such as a zone transfer) sent between DNS servers. As documented in IETF RFC 4367, some users and developers make false assumptions about DNS names, such as assuming that a company's common name plus ".com" is always its domain name. DNSSEC cannot cure false assumptions; it can only authenticate that the data is truly from or not available from the domain owner.
source :en.wikipedia.org
No comments:
Post a Comment