The nuts and bolts of DNSsec
The Domain Name System helps make a ubiquitous, global Internet practical by providing an infrastructure for mapping labels such as URLs and e-mail addresses to numerical IP addresses. Understandable addresses that can be remembered and convey information about the addressee, such as www.gcn.com, provide a friendly user interface for the Internet.
The original DNS specifications were finalized by 1983 in Internet Engineering Task Force RFC 882 and RFC 883. These have since been revised and replaced. Four Berkeley students created the first Unix implementation of DNS in 1984, which became the Berkeley Internet Name Domain (BIND) in 1985. This has become one of the most widely deployed name servers.
The DNS Security Extensions (DNSsec) are a response to vulnerabilities in DNS that make it possible for hackers to provide false information to a request, thus misinforming and misdirecting a client. The initial specification was published in 1997 and was replaced in 1999 with IETF RFC 2535. Further refinements have since been added.
With DNSsec, answers to requests are digitally signed to protect clients from forged DNS data. It provides:
- Origin authentication of DNS data.
- Data integrity.
- Authenticated denial of existence for an address that cannot be found.
Although digitally signed responses can be authenticated, they are not encrypted, and DNSsec does not provide confidentiality for the data.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.