Accredited ICANN Registrar: NamesBeyond.com
Home About Us Whois Products & Services Partner Network FAQ Shopping Cart Contact Us
 
DNSSEC-Home  DNSSEC-About  DNSSEC-FAQ  Forum  DNSSEC-Contacts 

What is DNS Security (DNSSEC)?

DNSSEC is an addition to the Domain Name System (DNS) protocols; it is designed to add security to the DNS by protecting the Internet from certain attacks, such as any data modification attack (e.g. cache poisoning). It is a set of extensions to DNS, which provide origin authentication of DNS data, data integrity and authenticated denial of existence.
The Domain Name System Security Extensions (DNSSEC) as described in [RFC4033], [RFC4034] and [RFC4035] define new records and protocol modifications to DNS that permit security-aware resolvers to validate DNS Resource Records (RRs) from one or more Trust Anchors held by security-aware resolvers.

It is estimated that 10 percent of servers in the network today are vulnerable to domain name system (DNS) attacks. And many technology experts believe that we will see a serious attack on the underlying infrastructure within the next decade.

DNSSEC was designed to protect the Internet from attacks such as DNS cache poisoning. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence.

These mechanisms require changes to the DNS protocol. DNSSEC adds four new resource record types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS), and Next Secure (NSEC). These new RRs are described in detail in RFC 4034.

It also adds two new DNS header flags: Checking Disabled (CD) and Authenticated Data (AD). In order to support the larger DNS message sizes that result from adding the DNSSEC RRs, DNSSEC also requires EDNS0 support (RFC 2671).

Finally, DNSSEC requires support for the DNSSEC OK (DO) EDNS header bit (RFC 3225) so that a security-aware resolver can indicate in its queries that it wishes to receive DNSSEC RRs in response messages. By checking the signature, a DNS resolver is able to check if the information is identical (correct and complete) to the info on the authoritative DNS server.

For more information on DNSSEC please go through our Frequently Asked Questions(FAQ), technical guide, presentations etc.
.COM Domains Registration .NET domains Registration .IN domains Registration .ORG domains Registration .BIZ domains Registration .INFO domains Registration .jobs domains Registration .MOBI domains Registration .TRAVEL domains Registration .aero domains Registration .coop domains Registration .bz domains Registration
Home | About Us | Why NBC | Products & Services | Payment Options | Sitemap | FAQ| Contact Us
Privacy Policy| Service Agreement | AutoRenew Policy | Transfer Agreement | URDP Policy | Whois Policy
All rights reserved. Copyright ©2001-2010. Names Beyond: Accredited ICANN Registrar
Designed and Hosted by NamesBeyond: Domain Name Registration Transfer Forwarding Renewal, Web Hosting, Email Services, & Web site Development Solutions Company