DNSSEC key management and exchange
Andreeva, Ekaterina (2012)
Andreeva, Ekaterina
Turun ammattikorkeakoulu
2012
All rights reserved
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2012121920125
https://urn.fi/URN:NBN:fi:amk-2012121920125
Tiivistelmä
The Domain Name System (DNS) is a system that translates human-readable domain names into numeric IP addresses and vice versa. Public DNS server infrastructure forms a distributed database that contains all the domain names and corresponding IP addresses.
Legitimacy of DNS has been essentially based on the trust. When a user accesses a network service e.g. a website using domain name, he or she trusts that the name is correctly translated in to IP address of the service he/she intended to access. Hackers exploiting the vulnerabilities of DNS protocol can gain the access to confidential information, steal passwords and private data.
In order to authenticate DNS responses and make it more secure, a new extension to DNS architecture was introduced called DNSSEC (Domain Name Security Extensions).
DNSSEC is a set of extensions for DNS, which includes functionality for the following steps:
- Authentication of DNS data (check the reliability of the site)
- Checking data integrity
- Checking denial of existence (e.g. dummy DNS server can respond to user that the domain does not exist, when in fact it does).
By analyzing the available technical documentation and RFC (Request for Comments) documents, this thesis aims to outline best practices and guidelines for DNSSEC key management and exchange theory. The results of this work can be used as a baseline for example when implementing the DNSSEC key management functionality to DNS management software.
Legitimacy of DNS has been essentially based on the trust. When a user accesses a network service e.g. a website using domain name, he or she trusts that the name is correctly translated in to IP address of the service he/she intended to access. Hackers exploiting the vulnerabilities of DNS protocol can gain the access to confidential information, steal passwords and private data.
In order to authenticate DNS responses and make it more secure, a new extension to DNS architecture was introduced called DNSSEC (Domain Name Security Extensions).
DNSSEC is a set of extensions for DNS, which includes functionality for the following steps:
- Authentication of DNS data (check the reliability of the site)
- Checking data integrity
- Checking denial of existence (e.g. dummy DNS server can respond to user that the domain does not exist, when in fact it does).
By analyzing the available technical documentation and RFC (Request for Comments) documents, this thesis aims to outline best practices and guidelines for DNSSEC key management and exchange theory. The results of this work can be used as a baseline for example when implementing the DNSSEC key management functionality to DNS management software.