Domain Name System Security Extensions: Difference between revisions

(2 intermediate revisions by 2 users not shown)

Line 1:

The '''Domain Name System Security Extensions''' are a set of [[DNS|Domain Name System]] (DNS) extensions enabling communication authentication between hosts and DNS data, while ensuring data integrity. DNSSEC is used for securing specific information provided by [[DNS]].

The '''Domain Name System Security Extensions (DNSSEC)''' are a set of [[DNS|Domain Name System]] (DNS) extensions enabling communication authentication between hosts and DNS data, while ensuring data integrity. DNSSEC is used for securing specific information provided by [[DNS]].

DNSSEC adds resource records and message header bits which can be used to verify that the requested data matches what the zone administrator put in the zone and has not been altered in transit. DNSSEC ~~doesn’t~~ provide a secure tunnel; it ~~doesn’t~~ encrypt or hide DNS data. It was designed with backward compatibility in mind. The original standard DNS protocol continues to work the same.

DNSSEC adds resource records and message header bits which can be used to verify that the requested data matches what the zone administrator put in the zone and has not been altered in transit. DNSSEC doesn't provide a secure tunnel; it doesn't encrypt or hide DNS data. It was designed with backward compatibility in mind. The original standard DNS protocol continues to work the same.

The new resource record types are [[RRSIG]] (for digital signature), [[DNSKEY]] (the public key), [[DS]] (Delegation Signer), and [[NSEC]] (pointer to the next secure record). The new message header bits are [[AD]] (for authenticated data) and [[CD]] (checking disabled). A DNSSEC validating resolver uses these records and public key (asymmetric) cryptography to prove the integrity of the DNS data. A private key (specific to a zone) is used to encrypt a hash of a set of resource records — this is the digital signature stored in an RRSIG record.

Line 112:

[[Category: Glossary]]

[[Category:Cybersecurity]]

~~__NOTOC__~~

@@ Line 1: / Line 1: @@
-The '''Domain Name System Security Extensions''' are a set of [[DNS|Domain Name System]] (DNS) extensions enabling communication authentication between hosts and DNS data, while ensuring data integrity. DNSSEC is used for securing specific information provided by [[DNS]].
+The '''Domain Name System Security Extensions (DNSSEC)''' are a set of [[DNS|Domain Name System]] (DNS) extensions enabling communication authentication between hosts and DNS data, while ensuring data integrity. DNSSEC is used for securing specific information provided by [[DNS]].
-DNSSEC adds resource records and message header bits which can be used to verify that the requested data matches what the zone administrator put in the zone and has not been altered in transit. DNSSEC doesn’t provide a secure tunnel; it doesn’t encrypt or hide DNS data. It was designed with backward compatibility in mind. The original standard DNS protocol continues to work the same.
+DNSSEC adds resource records and message header bits which can be used to verify that the requested data matches what the zone administrator put in the zone and has not been altered in transit. DNSSEC doesn't provide a secure tunnel; it doesn't encrypt or hide DNS data. It was designed with backward compatibility in mind. The original standard DNS protocol continues to work the same.
 The new resource record types are [[RRSIG]] (for digital signature), [[DNSKEY]] (the public key), [[DS]] (Delegation Signer), and [[NSEC]] (pointer to the next secure record). The new message header bits are [[AD]] (for authenticated data) and [[CD]] (checking disabled). A DNSSEC validating resolver uses these records and public key (asymmetric) cryptography to prove the integrity of the DNS data. A private key (specific to a zone) is used to encrypt a hash of a set of resource records — this is the digital signature stored in an RRSIG record.
@@ Line 112: / Line 112: @@
 [[Category: Glossary]]
 [[Category:Cybersecurity]]
-__NOTOC__