In the Domain NameSystem( DNS), communication between the name server and the DNS client takes place via the connectionless User Datagram Protocol( UDP). This transport protocol does not provide for authentication of the message source. This means that the identity of the sender cannot beverified by the recipient. It is therefore not possible to ensure whether the message actually originates from the corresponding DNS server.
If the data field for the entry of the sender address is manipulated and a different IP address is entered, this endangers all Internet applications. The Internet Engineering Task Force( IETF) has developed the Domain Name System Security Extension (DNSsec) to prevent such manipulations. This is a protocol extension of the Domain Name System that works with the public key method and authenticates the message source. This ensures that the name server's response matches the information associated with it. The development of DNSsec dates back to 1994 and is anchored in RFC 2535. In addition, there are various RFCs that deal with DNSsec. The version introduced in 2005 combines the various RFCs under the designation DNSsec-bis.
DNSsec works with cryptographic domain names and targets the areas of key distribution, authentication of source data, and transaction of authentication. When requests are sent to the DNSsec server, the server sends a more extensive DNS record signed with a private key. The requestor can use this to check the response for authenticity and authenticity. The response also receives a certificate with which the recipient can also verify the sender and thus the information content. The digital signature of the data packets is based on a hash function that is generated by the recipient and can be compared with the signature.