DNSSEC is a set of DNS extensions which provide 3 basic functions:
- Data Origin Authentication - assures that data is received from the authorized DNS server; can protect from impersonation attacks
- Data Integrity - assures that data received matches data on the origin DNS server, and is not modified during transit; protects from man-in-the-middle type pollution attacks.
- Authenticated Denial of Existence - assures that a "Non-existent" response is valid.
DNSSEC Technical Information and Documentation
The following "Request for Comments" (RFCs) defines the technical core of DNSSEC specifications.
- RFC 4033: DNS Security Introduction and Requirements
- RFC 4034: Resource Records for the DNS Security Extensions
- RFC 4035: Protocol Modifications for the DNS Security Extensions
- RFC 4641: DNSSEC Operational Practices
- RFC 5155: Introduces an alternative resource record, NSEC3, which provides additional measures against zone enumeration and permits gradual expansion of delegation-centric zones.
- RFC 5910: Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)
Tutorials & Research:
- DNSSEC can help mitigate the risks of cache poisoning as described in the video below. This video is brought to you courtesy of Cricket Liu, Vice-President; InfoBlox.
Please see these additional resources for research, webinars, videos and technical information on the implementation and further education of DNSSEC:
- .CO DNSSEC FAQs
- InfoBlox – DNS Security Center
- InfoBlox Webinar - Cache Poisoning and DNSSEC: A Look into the Threats to DNS and How DNSSEC Addresses Them (Sign-Up Required)
- Secure64 – DNSSEC Resource Center
- Practice Safe DNS
- Neustar - DNSSEC Resources
- DNSSEC Deployment
Should you have any questions on the information provided or require further assistance, please contact DNSSEC@go.co.