As DNS becomes a critical operational part of the Internet infrastructure, a defined method of security will need to be put in place to assure data integrity and authentication. Extensions to the DNS are described in the IETF-DRAFT "DNS Protocol Security Extensions--30 January 1996" that provide these services to security-aware resolvers or applications through the use of cryptographic digital signatures. These digital signatures are included in secured zones as resource records. Security can still be provided even through non-security-aware DNS servers in many cases.
The extensions also provide for the storage of authenticated public keys in the DNS. This storage of keys can support general public key distribution service as well as DNS security. The stored keys enable security-aware resolvers to learn the authenticating key of zones in addition to those for which they are initially configured. Keys associated with DNS names can be retrieved to support other protocols. Provision is made for a variety of key types and algorithms. In addition, the security extensions provide for the optional authentication of DNS protocol transactions. For more information see "http://ds.internic.net/internet-drafts/draft-ietf-dnssec-secext-09.txt".
|
|
In current implementations of Dynamic DNS, the vendors had to "roll their own" security protocol because of the lack of a defined standard. Be careful if you implement one of these products as it may become incompatible with future products when a specification is defined. |
