Sat, 6 Feb 2010
11:57 AM - DNS and DNSSEC
About ten years ago, dnssec was invented to deal with a problem plaguing the Internet. There is no trust in the DNS system.
Many people might have heard the term DNS, but never thought about what it is. DNS, or the Domain Name System, is the process by which a domain name like midnightbsd.org is translated into an IP address 22.214.171.124. Without this system, one would need to type in IP addresses to access websites, send email, or chat online.
The system was invented at a simpler time when people trusted each other on the Internet. This was before worms, massive spam, or websites.
Today, many people try to impersonate others on the Internet or worse yet, their websites. You could create a DNS poisoning attack so that a user accessing a DNS server to lookup google.com is redirected to a fake site. This site could log information and pass requests to the real google.com through a proxy. The user may never know the difference.
Systems like DNSSEC validate DNS queries by a trust relationship.
Individuals don't need to do much to use DNSSEC aside from purchasing updated software. Windows 7 had DNSSEC on it's list of new features (not confirmed it was added in final builds). The client (your computer) must be able to understand DNSSEC queries for it to be of any use. Otherwise, it is simply ignored.
System administrators must enable DNSSEC on their DNS servers (resolvers) as well as on zones to get the full benefit. You can think of a zone as a domain name. Things can be further divided into sub zones such as .com vs midnightbsd.org.
Enabling DNSSEC on BIND 9.4+ resolvers
dnssec-lookaside "." trust-anchor "DLV.ISC.ORG";