
	Where results make sense

Topic: DNSSEC

In the News (Fri 25 Dec 09)

Northern Trust

Marvin Harrison

Peter Chernin

Gary Locke

Match Play

Penelope Cruz

Mickey Rourke

AR Rahman

Danny Boyle

Hugh Jackman

	DNSSEC - Wikipedia, the free encyclopedia
		DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning.
		DNSSEC cannot cure false assumptions; it can only authenticate that the data is truly from or not available from the domain owner.
		DNSSEC can be deployed at any level of a DNS hierarchy, but it must be widely available in a zone before many others will adopt it.
	en.wikipedia.org /wiki/DNSSEC (2986 words)

	DNSSEC - Wikipedia, the free encyclopedia (Site not responding. Last check: 2007-08-17)
		DNSSEC is still under development at IETF but will be ready for deployment soon.
		Currently, several DNSSEC 'testbeds' are run, for example in the Netherlands (.nl) and Sweden (.se).
		DNSSEC testbed in the Netherlands (.nl ccTLD) (http://secreg.nlnetlabs.nl/)
	www.encyclopedia-online.info /DNSSEC (218 words)

	DNSSEC: The Protocol, Deployment, and a Bit of Development-The Internet Protocol Journal - Volume 7, Number 2 - Cisco ...
		DNSSEC, as defined in (hopefully soon-to-be-obsoleted) RFC 2535, adds data origin authentication and data integrity protection to the DNS.
		Also signatures in DNSSEC have a start and end date, that is, before and after a certain date interval the signature can no longer be used for validation.
		DNSSEC brings many new parameters to the DNS, including cryptographic ones such as key sizes, algorithm choices, and key and signature lifetimes.
	www.cisco.com /web/about/ac123/ac147/archived_issues/ipj_7-2/dnssec.html (4168 words)

	FAQ
		DNSSEC is a set of extensions to the DNS that permits authentication and data integrity checking of DNS data.
		DNSSEC doesn't modify the existing DNS resource records (RRs) associated with a particular configuration; it simply adds additional records to the DNS data which permit the validation of data in the DNS using strong cryptography.
		At the moment the DNSSEC testbed is static: with the exception of periodic zone re-signing and key rollover, the testbed data does not change.
	www.nominet.org.uk /tech/dnssectest/faq (3540 words)

	RFC 3130 (rfc3130) - Notes from the State-Of-The-Technology: DNSSEC
		DNSSEC [RFC 2535] has been under consideration for quite a few years, with RFC 2535 being the core of the most recent definition.
		DNSSEC does not encompass all of the security practiced in DNS today, for example, the redefinition of when and how data is cached [RFC 2181], plays a big role in hardening the DNS system.
		The four elements of DNSSEC described in the previous paragraph are grouped together mostly because they do interrelate, but also they were developed at approximately the same time.
	www.faqs.org /rfcs/rfc3130.html (2800 words)

	[No title]
		An important DNSSEC concept is that the key that signs a zone's data is associated with the zone itself and not with the zone's authoritative name servers.
		DNSSEC does not change the definition or function of the TTL value, which is intended to maintain database coherency in caches.
		A non-validating security-aware stub resolver, by definition, does not perform DNSSEC signature validation on its own and thus is vulnerable both to attacks on (and by) the security-aware recursive name servers that perform these checks on its behalf and to attacks on its communication with those security-aware recursive name Arends, et al.
	www.ietf.org /rfc/rfc4033.txt (6375 words)

	Nominum, Inc. :: Open Source Resource
		For a more in-depth, overall description of DNSSEC, please refer to that document, which is cited in the References section of this FAQ.
		A DNSSEC aware resolver can determine whether or not a zone is signed, and if the resolver sees an unsigned record set when it expects a signed one it can identify that there is an error.
		Basic support for validation of DNSSEC signatures in responses has been implemented but should still be considered experimental.
	www.nominum.com /getOpenSourceResource.php?id=8 (3063 words)

	[No title] (Site not responding. Last check: 2007-08-17)
		DNSSEC uses the DNS itself to propagate each site’s public keys, and so the key you need for verification is available via the same marvelously insecure protocol as the data you’re trying to verify.
		What’s different from full DNSSEC is that the same key is used for both signature generation and signature verification (so it’s all private), and this shared private key (also called a “shared secret”) is only shared between hosts on the same LAN or (at most) on the same campus.
		DNSSEC has not been simulated on the massive scale of the Internet and may yet hold some surprises (which could lead to an overhaul).
	www.eas.asu.edu /trace/eee459/Yusuf.doc (1867 words)

	ONLamp.com -- The Basics of DNSSEC
		Now that we have covered DNSSEC and have set up our own DNSSEC server, new possibilities are open to us, such as opportunistic encryption (OE).
		DNSSEC can be the tool for becoming globally secure in everyday communications by providing opportunistic encryption.
		It is important to consider using DNSSEC, because only a coordinated effort between many DNS servers will allow an effective improvement in secure communications and personal privacy.
	www.onlamp.com /pub/a/onlamp/2004/10/14/dnssec.html?page=2 (1398 words)

	Public Interest Registry - Registrar FAQs DNS Security
		DNSSEC is an addition to the Domain Name System (DNS) protocols; it is designed to add security to the DNS by protecting the Internet from certain attacks, such as DNS cache poisoning.
		It is a set of extensions to DNS, which provide origin authentication of DNS data, data integrity and authenticated denial of existence.
		In the DNSSEC testbed, only one connection per registrar will be available.
	www.pir.org /RegistrarResources/RegistrarFAQsDNSSecurity.aspx (1194 words)

	DNSSEC: What Is It Good For?
		DNSSEC, which stands for DNS Security Extensions, is a method by which DNS servers can verify that DNS data is coming from the correct place, and that the response is unadulterated.
		Until this is in place, DNSSEC cannot protect anything outside your administrative control or access; meaning you have to manually distribute keys.
		DNSSEC can, however, be used internally or even between different entities if they chose to cooperate and exchange keys.
	www.enterprisenetworkingplanet.com /netsecur/article.php/3494711 (1178 words)

	DNS security upgrade promises a safer 'Net
		DNSSEC is now available in open source software called BIND 9 that was released last month, and will be bundled in upcoming releases of operating systems from Sun, Hewlett-Packard, Red Hat and others.
		DNSSEC "is a no-brainer if it can be easily done," says Rohi Sukhia, CEO of tradeloop.com, a Web site offering spare parts and used equipment to computer dealers.
		DNSSEC "sounds like a good idea, but it's hard for me to assess the likelihood of this threat," says Michael Saltzman, vice president of network operations at gig.com, an online music distribution service.
	www.networkworld.com /news/2000/1016dnsec.html (1541 words)

	DNSSEC in the .nl zone mini HOWTO
		DNSSEC solves this problem by using digital signatures for all records.
		A key-pair is generated, of which the public key is put in the DNS itself, in the form of a KEY record.
		DNSSEC extensions are also missing from the POSIX libraries, such as the C-library, which means that every program which wants to support DNSSEC needs to write their own dns functions.
	www.xtdnet.nl /paul/dnssec (3060 words)

	UMU-SEINIT Home Page (Site not responding. Last check: 2007-08-17)
		Related to the DNSSEC work in the SEINIT project, we are deploying a DNSSEC hierarchy, with the root node as dnssec.seinit.org.
		DNSSEC authentication is based on the use of public/private zone keys.
		DNSSEC specifies that a child zone needs to have its KEY RRset signed by its parent to create a verifiable chain of KEYs.
	www.dnssec.seinit.org /dnssec.html (2180 words)

	[No title]
		Rationale Initially, as DNSSEC is deployed, the vast majority of queries will be from resolvers that are not DNSSEC aware and thus do not understand or support the DNSSEC security RRs.
		As DNS UDP datagrams are limited to 512 bytes [RFC1035], responses including DNSSEC security RRs have a high probability of resulting in a truncated response being returned and the resolver retrying the query using TCP.
		In addition, in preliminary and experimental deployment of DNSSEC, there have been reports of non-DNSSEC aware resolvers being unable to handle responses which contain DNSSEC security RRs, resulting in the resolver failing (in the worst case) or entire responses being ignored (in the better case).
	www.isi.edu /in-notes/rfc3225.txt (1186 words)

	Net::DNS::SEC::Tools::conf - DNSSEC tools configuration file routines. (Site not responding. Last check: 2007-08-17)
		The DNSSEC tools have a configuration file for commonly used values.
		The DNSSEC tools configuration file consists of a set of configuration value entries, with only one entry per line.
		During parsing, the line is broken into tokens, with tokens being separated by spaces and tabs.
	www.dnssec-tools.org /docs/conf.html (252 words)

	RFC 3226 (rfc3226) - DNSSEC and IPv6 A6 aware server/resolver message size
		DNSSEC motivations DNSSEC [RFC2535] secures DNS by adding a Public Key signature on each RR set.
		DNSSEC OK[OK] specifies how a client can, using EDNS0, indicate that it is interested in receiving DNSSEC records.
		DNSSEC specifies for computationally expensive message authentication SIG(0) using a standard public key signature.
	www.faqs.org /rfcs/rfc3226.html (1500 words)

	DNSSEC-bis for complete beginners (like me)
		Furthermore, the DNSSEC HOWTO by Olaf Kolkman is a great source of information, as is as the operational practices document by the same author, linked below.
		As noted the DNSSEC people are among the smartest in the world so they've figured out a solution: the 'Next Secure' NSEC record, known in its previous flawed incarnation as NXT.
		Serving DNSSEC records is complex enough as it is, with NSEC taking the complexity-crown from the LOC record, but the recursing process is truly very hard.
	ds9a.nl /dnssec (2007 words)

	Public Interest Registry - DNS Security Testbed
		DNSSEC is an addition to the DNS protocols; it is designed to thwart specific types of attacks against your DNS, such as DNS cache poisoning.
		Registrars are invited to connect to the DNSSEC testbed EPP server using the standard EPP port (700) and submit.ORG domain registrations into the DNSSEC testbed.
		The name and IP address of the name server to be used to test the zone within the testbed will be provided to registrars on 24 October 2005.
	www.pir.org /RegistrarResources/DNSSecurityTestbed.aspx (348 words)

	dnssec-keygen(1Mtcp)
		The argument identifying the encryption algorithm is case-insensitive.
		The default is 2 (email) for keys of type USER and 3 (DNSSEC) for all other key types.
		The DNSSEC algorithm identifier is indicated by aaa - 001 for RSA, 002 for Diffie-Hellman, 003 for DSA or 157 for HMAC-MD5.
	uw714doc.sco.com /en/man/html.1Mtcp/dnssec-keygen.1Mtcp.html (1015 words)

	DNSSEC Deployment Initiative
		The DNS Security Extensions (DNSSEC) Deployment Coordination Initiative is part of a global effort to deploy new security measures that will help the DNS perform as people expect it to - in a trustworthy manner.
		This initiative builds on over a decade of work undertaken by many experts around the world, who developed the DNSSEC standard that was published by the IETF.
		On this site, we have collected important information to help you learn more about the initiative; DNS attacks and their impact on your business, government agency, or home computing; information for adopters and potential adopters; and news and research to keep you informed about progress against this important security threat.
	www.dnssec-deployment.org (202 words)

	The role of DNS and DNSSEC in information security
		Furthermore, DNSSEC is sensitive to many configuration errors, the slightest of which cause a domain to stop working for those using DNSSEC.
		As mentioned above, to perform as intended, DNSSEC needs to be deployed on all servers involved in answering a query which means a massive overhaul which would be nothing short of a revolution to achieve.
		Combined with the complexity of DNSSEC, its inherent lower robustness and hence availability of domains, the increased vulnerability of the larger amount of code needed to support encryption in nameservers, I can only draw the conclusion that DNSSEC is not worth it.
	ds9a.nl /secure-dns.html (1251 words)

	The Dnssec-Tools Project
		To turn on dnssec support, use the pull-down menu within the "Content" section of the preference editing screen.
		A patch to validate SPF rules, incoming connections, etc against DNSsec records to ensure lookups within MTAs are not using spoofed DNS records.
		A patch which enables DNSSEC validation of DNS lookups in the firefox application suite (the firefox browser, mozilla, etc).
	www.dnssec-tools.org (882 words)

	dnssec-keygen(1)
		DNSSEC specifies DSA as a mandatory algorithm and RSA as a recommended one.
		This option is used to determine the number of bits in the key.
		It should be a number in the range 0-15.
	docs.hp.com /en/B3921-90010/dnssec-keygen.1.html (677 words)

	nlnetlabs.nl - DNSSEC
		DNSSEC in NL This report contains the conclusions of the SECREG experiment which NLnet Labs together with SIDN has performed in 2003.
		This draft defines an interface between a secure aware resolver and an application.
		This was an early draft to address operational key handling problem in DNSSEC.
	www.nlnetlabs.nl /dnssec (79 words)

	Firewalls & DNSSEC (Site not responding. Last check: 2007-08-17)
		The introduction of DNSSEC can introduce problems for users using a nameserver with support for EDNS behind a firewall that does not pass DNS packets larger than 512 bytes.
		The problem can be solved by configuring the firewall to allow larger DNS packets or by configuring the nameserver to request small packets.
		If a nameserver requests DNSSEC information in its queries, and the queries are sent to domains with DNSSEC enabled, the answers are usually larger than 512 bytes and are dropped by the firewall.
	dnssec.nic.se /fw/en.html (274 words)

	DNSSEC: Security for Essential Network Services
		DNSSEC significantly increases the size of DNS response packets, which drastically increases the computational load on the DNS servers and also increases the query response time.
		DNSSEC is an order of magnitude more complex than DNS.
		DNSSEC requires at least some time synchronization between the primary and secondary name servers.
	www.enterpriseitplanet.com /security/features/article.php/11321_2206241_3 (741 words)

	Manpage of DNSSEC-KEYGEN
		Note that for DNSSEC, DSA is a mandatory to implement algorithm, and RSA is recommended.
		The value of nametype must either be ZONE (for a DNSSEC zone key), HOST or ENTITY (for a key associated with a host), or USER (for a key associated with a user).
		The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.
	linux.yyz.us /nsupdate/dnssec-keygen-man.html (587 words)

	Secure DNS Zone Key Tool
		They are designed to solve some (especially my) problems in maintaining a few dnssec aware zones.
		The How to secure your zone presentation give you an overview about the steps needed for signing a zone, and a very short introduction in the usage of the zone key tool.
		DNSSEC Operational Practices by Olaf Kolkman and Miek Gieben
	www.hznet.de /dns/zkt (292 words)

	Diff: draft-weiler-dnssec-dlv-pre00.txt - draft-weiler-dnssec-dlv-pre01.txt
		DNSSEC Lookaside Validation (DLV) is a mechanism for publishing
		DNSSEC trust anchors outside of the DNS delegation chain.
		DLV domain and use DNSSEC to validate the data in it.
	www.watson.org /~weiler/dlv/diff-pre00-pre01.html (3532 words)

Try your search on: Qwika (all wikis)