Domain Name System Security Extensions (DNSSEC) Questions
1. What is DNS Security (DNSSEC)?
2. What does DNSSEC protect against?
3. How does DNSSEC protect against this attack?
4. What does it mean that you have signed the .ORG zone?
5. What does the administration of signed zone entail?
6.Can I now update my .ORG domain name with DNSSEC records?
7. Why isn't DNSSEC used everywhere?
8. How do I deploy DNSSEC?
9. Is DNSSEC right for you?
10. What are some of the benefits of DNSSEC?
11. What are some of the concerns regarding DNSSEC?
12. What is a DNS resolver?
13. What is a key?
14. What is a key rollover?
15. How does a scheduled rollover help prevent key compromise?
16. How will people be made aware of a key rollover?
17. How is a DNSSEC registration different from a current .ORG domain registration? What additional data are collected?
18.Where can I go to learn more about DNSSEC?
1. What is DNS Security (DNSSEC)?
DNSSEC is an addition to the Domain Name System (DNS) protocols; it is designed to add security to the DNS to protect it from certain attacks, such as any data modification attack (e.g. cache poisoning). It is a set of extensions to DNS, which provide origin authentication of DNS data, data integrity and authenticated denial of existence.
The Domain Name System Security Extensions (DNSSEC) as described in [RFC4033], [RFC4034], and [RFC4035] define new records and protocol modifications to DNS that permit security-aware resolvers to validate DNS Resource Records (RRs).
2. What does DNSSEC protect against?
DNSSEC is designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. Currently, a DNS resolver sends a query out to the Internet and then accepts the first response it receives, without question. If a malicious system were to send back an incorrect response, the resolver would use this address until its cache expired. This is bad enough if it's a single user's computer that gets this bad data, it's much worse if it's another name server that answers queries for an ISP - affecting thousands of users.
3. How does DNSSEC protect against this attack?
Each piece of a domain’s DNS information has a digital signature attached to it. When a user enters the domain in a browser, the resolver, using keys in a similar manner to TLS/SSL, verifies the signature. If it does not match, the resolver discards the response and waits for another.
DNSSEC ensures that the information in the response you receive is the same information the registrant of the domain name wants you to receive. When a registrant registers a domain name on the Internet, they will also be able to have the domain name secured via DNSSEC. By sending in additional information to their registrar, registrants can “sign” a domain name, thus ensuring that all DNS responses are digitally signed via DNSSEC. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information the registrant wants you to receive.
4. What does it mean that you have signed the .ORG zone?
Zone-signing is the process of cryptographically signing the authoritative data within a zone file. This process adds new records to the zone, which allows resolvers to verify the origin authenticity and integrity of the DNS responses. .ORG Zone has been NSEC3 (RFC 5155) signed.
5. What does the administration of signed zone entail?
Administration of a DNSSEC signed-zone is more complex than that of an unsigned zone. Zone maintenance in the non-DNSSEC environment simply involves changing records as required and updating the serial number of the zone with each change. In many networks this is an automated process. However, in the DNSSEC environment this action alone would result in the invalidation of the zone data. Therefore, in addition to updating records and serial numbers the zone itself must be resigned. Care must be taken to keep keys and signatures current and not let signatures expire. If the zone is compromised either by malicious intent or neglect, the Zone Data Administrator must take actions to restore the zone’s place in the DNSSEC authentication chain.
6. Can I now update my .ORG domain name with DNSSEC records?
Yes, if your registrar has implemented DNSSEC, then you can register your .ORG domain name(s) with DNSSEC. For a list of accredited DNSSEC registrars, click here.
7. Why isn't DNSSEC used everywhere?
It takes time to deploy DNSSEC throughout the Internet. As of September 2011 the root is signed, there are 80+ TLDs with signed zones, and more registrars are completing the OTE required to offer DNSSEC services every day. The demand for DNSSEC is increasing every day.
8. How do I deploy DNSSEC?
The latest versions of BIND and NSD are DNSSEC aware, usually by simply setting a configuration-option. For end user applications, such as web browsers and email applications, you should contact your software provider. For more information on how to deploy DNSSEC, visit: http://dnssec-deployment.org and http://www.nlnetlabs.nl/dnssec_howto/
9. Is DNSSEC right for you?
The DNS is a critical Internet infrastructure protocol and virtually everything that users do on the Internet depends on it.
Protecting the DNS to ensure that users are connecting with the services they expect to be communicating with is the foundation of a safe and secure Internet.
If you want to distinguish yourself as a leader supporting the security of your customers’ domains then DNSSEC is right for you.
10. What are some of the benefits of DNSSEC?
- DNSSEC zones prevent man-in-the-middle attacks. Any customer with a DNSSEC-aware resolver will not be at risk from this attack.
- DNSSEC is backwards compatible with the existing DNS infrastructure. Customers that are not DNSSEC aware will not see any adverse effect. While they won't get the protection, they'll continue to access domain names just as they always have.
- DNSSEC is the foundation of providing the safe and secure Internet of the future, including secure web browsing and adding additional security services to a wide variety of Internet services (e.g., email, voice-over-IP, etc.).
11. What are some of the concerns regarding DNSSEC?
- You must actively maintain the extra DNSSEC data, including securing the DNSSEC private key data used to sign zones.
- If the key information is compromised, you must take immediate action to rollover (replace) the key.
- You may have to educate your customers on how to make their software DNSSEC-aware.
- There have been a few reported cases of bugs in network gear, such as routers, switches, and wireless access points that require end-users to upgrade their network gear in order to resolve signed domain names.
12. What is a DNS resolver?
A DNS resolver is the program on a user’s computer that sends the query to the DNS. Once a response is received, the resolver returns the response back to the end user’s application. A validating resolver is a resolver that checks the digital signatures created and made available by domain name owners who want to protect their domains.
13. What is a key?
In DNSSEC the keys come in pairs — a private key (held only by the signer of the zone, which is usually the DNS operator who may be the registrar if you are providing DNS services to your customers) and a public key (distributed to the public through the DNS). The private part of the key pair is used to sign the zone. Validating resolvers use the public part of the key pair to validate the digital signature created when the zone is signed.
14. What is a key rollover?
A key rollover occurs whenever it is necessary to change the private key used to sign a zone or the public key used to validate a zone. This can occur for planned or unplanned reasons. Planned rollovers occur as an ordinary part of key management procedures, similar to changing a password on a regular basis. Unplanned rollovers occur whenever a private key has been compromised.
15. How does a scheduled rollover help prevent key compromise?
DNSSEC uses several mathematical formulas (cryptography) to "sign" a zone. These signatures are subject to cryptanalysis. It is therefore possible for an attacker to learn the private key in a key pair even though that key has never been disclosed, either through "brute force" or other types of attacks. Every attack requires time to complete. Periodically changing the key decreases the length of time an attacker has to attempt the compromise.
16. How will people be made aware of a key rollover?
Under ordinary circumstances key rollovers are not visible to end-users. The transition from one key to another is handled automatically by the DNS and validating resolvers, as long as the actual zone signer properly manages the key pairs and enters the changing keys in to the DNS as needed.
17. How is a DNSSEC registration different from a current .ORG domain registration? What additional data are collected?
A DNSSEC registration must include the public key information. This information is put in to a Delegation Signer (DS) record (either by the DNS operator or perhaps the registrar) and submitted to the registry by the registrar using the DNS Security extensions for EPP (see http://www.ietf.org/rfc/rfc5910.txt
18. Where can I go to learn more about DNSSEC?
The http://dnssec.net and http:/dnssec-deployment.org Web sites are both excellent resources to learn more about DNSSEC.
