DNSSEC what it really means and how is it related to us......
DNSSEC (short for DNS Security Extensions) adds security to the Domain Name System
Domain Name System Security Extension (DNSSEC) will help strengthen trust in the Internet by helping to protect users from redirection to fraudulent web sites and unintended addresses.
DNSSEC was designed to protect the Internet from certain attacks, such as DNS cache poisoning [0]. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence.
These mechanisms require changes to the DNS protocol. DNSSEC adds four new resource record types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS), and Next Secure (NSEC). These new RRs are described in detail in RFC 4034.
DNSSEC is the only solution that solves the DNS cache poisoning security hole, conclusively. Many top-level zones, including .ARPA, .GOV and .ORG, as well as the root zone, have already been signed using DNSSEC. This new technological strategy allows appropriately configured name servers to validate answers cryptographically from these zones—effectively eliminating the possibility of cache poisoning. In the coming months, many additional zones will be signed, including .NET and .COM. Now, every organization needs to assess its DNSSEC implementation drivers and readiness, and develop a DNSSEC policy and implementation plan. Infoblox can help your organization develop its DNSSEC policy and implementation plan today. However DNSSEC does not provide confidentiality of data at any time and does not protect against DDoS Attacks.There are a lot of tools available in the market that support DNSSEC you can just try goggling it out.
To make deployment of DNSSEC easier, one can also buy a dedicated "DNSSEC Appliance", which acts as an automated DNS signer for DNS zones. Several vendors are already offering commercial and non-commercial solutions for signing DNS in real time, some of them using external cryptographic hardware such as HSM (Hardware Security Modules), including USB tokens and smart cards.
Several ISPs have started to deploy DNSSEC-validating DNS recursive resolvers. Comcast became the first major ISP to do so in the United States, announcing their intentions on October 18, 2010 and completing deployment on January 11, 2012.
DNSSEC (short for DNS Security Extensions) adds security to the Domain Name System
 |
| DNSSEC |
DNSSEC was designed to protect the Internet from certain attacks, such as DNS cache poisoning [0]. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence.
These mechanisms require changes to the DNS protocol. DNSSEC adds four new resource record types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS), and Next Secure (NSEC). These new RRs are described in detail in RFC 4034.
DNSSEC is the only solution that solves the DNS cache poisoning security hole, conclusively. Many top-level zones, including .ARPA, .GOV and .ORG, as well as the root zone, have already been signed using DNSSEC. This new technological strategy allows appropriately configured name servers to validate answers cryptographically from these zones—effectively eliminating the possibility of cache poisoning. In the coming months, many additional zones will be signed, including .NET and .COM. Now, every organization needs to assess its DNSSEC implementation drivers and readiness, and develop a DNSSEC policy and implementation plan. Infoblox can help your organization develop its DNSSEC policy and implementation plan today. However DNSSEC does not provide confidentiality of data at any time and does not protect against DDoS Attacks.There are a lot of tools available in the market that support DNSSEC you can just try goggling it out.
To make deployment of DNSSEC easier, one can also buy a dedicated "DNSSEC Appliance", which acts as an automated DNS signer for DNS zones. Several vendors are already offering commercial and non-commercial solutions for signing DNS in real time, some of them using external cryptographic hardware such as HSM (Hardware Security Modules), including USB tokens and smart cards.
Several ISPs have started to deploy DNSSEC-validating DNS recursive resolvers. Comcast became the first major ISP to do so in the United States, announcing their intentions on October 18, 2010 and completing deployment on January 11, 2012.
Key Benefits after implementing DNSSEC:-
- Accelerated path to security and compliance
- Lower operational costs and expertise risks
- Reduced configuration errors to ensure service availability
There a lot that I can talk on DNSSEC, more information can be found here
