ITWissen.info - Tech know how online

domain name system security extension (DNSsec)

In the Domain Name System (DNS), communication between the name server and the DNS client takes place via the connectionlessUser Datagram Protocol (UDP). This transport protocol does not provide for authentication of the message source. This means that the identity of the sender cannot be verified by the recipient. Thus, it cannot be ensured whether the message

actually originates from the corresponding DNS server. If

thedata field for the entry of the sender address is manipulated and a different IP address

isentered, this endangers all Internet applications. In order to prevent such manipulations, the Internet Engineering Task Force (IETF) has developed the Domain Name System SecurityExtension (DNSsec). This is a protocol extension of the Domain Name System that works with the public key method and authenticates the message source. This ensures that the name server's response matches the information associated with it. The development of DNSsec dates back to 1994 and is anchored in RFC

2535. In addition, there are various RFCs that deal with DNSsec. The version introduced in 2005 combines the various RFCs under the name DNSsec-bis. DNSsec works with cryptographic domain names and targets the areas of key distribution, authentication of source data and transaction of authentication. When requests are sent to the DNSsec server, it sends a more extensive DNS record signed with a private key. The requestor can use this to check the response for authenticity and authenticity. The response also receives a certificate with which the recipient can also verify the sender and thus the information content. The digital signature of the data packets is based on a hash function that is generated by the recipient and can be compared with the signature.

Informationen zum Artikel
Englisch: domain name system security extension - DNSsec
Updated at: 02.08.2008
#Words: 301
Links: