DNSSEC was designed to protect the Internet from certain attacks, such as DNS cache poisoning [0]. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence. These mechanisms require changes to the DNS protocol.
The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality. The original design of the Domain Name System (DNS) did not include security; instead it was designed to be a scalable distributed system. The Domain Name System Security Extensions (DNSSEC) attempts to add security, while maintaining backwards compatibility.
Unlike spam, worms, viruses, and phishing—all of which confront end users directly—infrastructure attacks occur outside their normal frame of reference and control. But attacks on the Domain Name System (DNS), an engine of the Internet infrastructure, appear to be increasing in length and severity, affecting DNS information associated with financial services institutions, Internet service providers, and major corporations in the travel, health, technology, and media/ entertainment sectors. Such attacks can result in, say, dropped or intercepted email messages or users unknowingly redirected to fraudulent sites where they inadvertently hand over personal information.
The ultimate casualty in a serious infrastructure attack is public trust. The Internet technical community has responded to threats to the DNS infrastructure by developing the DNS Security Extensions (DNSSEC) protocol standard. DNSSEC-enabled systems run primarily in only a few early adoption and experimental zones.
DNSSEC introduces security at the infrastructure level through a hierarchy of cryptographic signatures attached to DNS records. In the context of DNSSEC, users are assured that the source of the data is verifiable as the stated source, and the mapping of a name to an IP address is accurate. DNSSEC – capable name servers also provide denial of- existence; that is, they tell a user that a name does not exist.
The ultimate casualty in a serious infrastructure attack is public trust. The Internet technical community has responded to threats to the DNS infrastructure by developing the DNS Security Extensions (DNSSEC) protocol standard. DNSSEC-enabled systems run primarily in only a few early adoption and experimental zones.
DNSSEC introduces security at the infrastructure level through a hierarchy of cryptographic signatures attached to DNS records. In the context of DNSSEC, users are assured that the source of the data is verifiable as the stated source, and the mapping of a name to an IP address is accurate. DNSSEC – capable name servers also provide denial of- existence; that is, they tell a user that a name does not exist.
