Principle

DNSSEC protocol is based on digital signing method which ensures security of DNS system data.

DNSSEC encrypts all the secured RU domain information, so it can be modified only using a private encryption key. You generate a key pair during secure delegation of your domain. Key information is stored on the primary DNS server. After each modification the zone is signed with a private key. The private key digital signature (DS entry) is sent to the parent zone's administrator (RU zone, in this case) and gets signed with that administrator's key. This method allows creating of a trust chain. If you have the public key of parent zone's administrator, you can validate a public key of any child zone.

Now, if a malicious user gets access to files containing domain description on the primary or secondary DNS server, they will be unable to modify these files, because a malicious user has no private key, and all unauthorized changes will fail validation and will be discarded. A dynamic request to update domain data sent by a malicious user on behalf of the other system will also fail.

Caching servers at the provider (enterprise) side and user-side systems (resolvers) also validate changes using a public key.

Description Exploits sources Principle Software Setup Delegation

Центральный офис: : г. Москва, 5-й Донской проезд, д.15, стр.4

Copyright © "Гарант-Парк-Телеком", 2006-2010
Информация для клиентов: тел: +7 (495) 783-3-783; e-mail: info@r01.ru
Техническая поддержка: тел: +7 (495) 783-3-783; e-mail: support@r01.ru