DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect other information such as general-purpose cryptographic certificates stored in CERT records in the DNS. RFC 4398 describes how to distribute these certificates, including those for email, making it possible to use DNSSEC as a worldwide public key infrastructure for email.
DNSSEC does not provide confidentiality of data; in particular, all DNSSEC responses are authenticated but not encrypted. DNSSEC does not protect against DoS attacks directly, though it indirectly provides some benefit (because signature checking allows the use of potentially untrustworthy parties). Other standards (not DNSSEC) are used to secure bulk data (such as a DNS zone transfer) sent between DNS servers. As documented in IETF RFC 4367, some users and developers make false assumptions about DNS names, such as assuming that a company's common name plus ".com" is always its domain name. DNSSEC cannot protect against false assumptions; it can only authenticate that the data is truly from or not available from the domain owner.
DoS Protection via APF, BFD, DDOS and RootKit
April 4,2011 05:00
PowerDNS Authoritative Server 3.0 'PowerDNSSEC' release cycle starting
In the upcoming version 3.0, The PowerDNS Authoritative Server 3.0 will add full support for DNSSEC.
This version is now almost ready for use, with 'Release Candidate 1' to be made available shortly.
In version 3.0, PowerDNS Authoritative Server 3.0 adds support for:
Serving pre-signed zones
TSIG transaction signatures for authorizing & requesting zone transfers
MyDNS compatibility backend
Master/Slave communications over IPv6
Lua zone editing
Users browsing this forum: No registered users and 1 guest