DNSSEC (short for DNS Security Extensions) adds security to the Domain Name System (DNS) used on Internet Protocol networks. It is a set of extensions to DNS, which provide:

• origin authentication of DNS data
• data integrity, and
• authenticated denial of existence

DNSSEC was designed to protect the Internet from certain attacks such as DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the signature, a DNS resolver is able to check if the information is identical (correct and complete) to the info on the authoritative DNS server.

There are several distinct classes of threats to the DNS, most of which are DNS-related instances of more general problems, but a few of which are specific to peculiarities of the DNS protocol. RFC 3833 attempts to document some of the known threats to the DNS, and, in doing so, attempts to measure to what extent DNSSEC is a useful tool in defending against these threats.

DNSSEC does not provide confidentiality of data. Also, DNSSEC does not protect against DoS attacks.

The DNSSEC specifications (called DNSSEC-bis) describe the current DNSSEC protocol in great detail. See RFC 4033, RFC 4034, and RFC 4035. With the publication of these new RFCs (March 2005), RFC 2535 has become obsolete.

External links

• DNSSEC - DNSSEC information site: DNSSEC.net
• DNSEXT DNS Extensions Working Group at IETF
• RFC 3833 A Threat Analysis of the Domain Name System
• RFC 4033 DNS Security Introduction and Requirements (DNSSEC-bis)
• RFC 4034 Resource Records for the DNS Security Extensions (DNSSEC-bis)
• RFC 4035 Protocol Modifications for the DNS Security Extensions (DNSSEC-bis)
• A short timeline of DNSSEC by Miek Gieben
• DNSSEC Howto by Olaf Kolkman (RIPE NCC)