The domain name system (DNS) security extensions (DNSSEC) are a means to protect the Internet and its users from possible attacks that may disable, or hinder access to, the essential naming services on the Internet. The security extensions create a way for the DNS servers to continue to provide their Internet protocol (IP) address translation functions, but with the added provision that the DNS servers authenticate with one another by creating a series of trust relationships. Through the extensions, the data shared among the DNS servers also achieves a level of integrity that is normally difficult over to the existing protocol by which the data is transferred.
Originally, the DNS was created as an unsecured, public distribution of names and their related IP addresses. As the Internet grew, however, a number of problems developed related to DNS security, privacy, and the integrity of the DNS data. With respect to privacy issues, the problem was handled early on by proper configuration of DNS servers. Still, it is possible for a DNS server to be subjected to a number of different types of attacks, such as distributed denial of service (DDoS) and buffer overflow attacks, which can affect any type of server. Specific to the DNS, though, is the issue of some outside source poisoning the data by introducing false information.
DNSSEC was developed by the Internet engineering task force (IETF), and detailed in several request for comment (RFC) documents, 4033 through 4035. These documents describe DNS security as achievable through the use of public key authentication techniques. To alleviate processing on the DNS servers, only the authentication techniques are used, and not encryption.
The way DNSSEC works is through the creation of trust relationships among the different tiers of the DNS hierarchy. At the top level, the root domain of the DNS is established as the primary intermediary between the lower domains, such as .com, .org, and so forth. Sub-domains then look to the root domain, acting as what's called a trusted third party, to validate the credibility of the others so that they may share accurate DNS data with one another.
One issue that pops up as a result of the methods described in the RFCs is called zone enumeration. It becomes possible for an outside source to learn the identity of every named computer on a network. Some controversy developed with DNS security and the zone enumeration problem due to the fact that even though the DNS wasn't originally designed for privacy, various legal and government obligations require that the data remain private. An additional protocol, described in RFC 5155 describes a means to implement additional resource records into the DNS that may alleviate the problem, though not remove it entirely.
Other issues with implementing DNS security revolve around compatibility with older systems. The implemented protocols must be universal and, therefore, understood by all computers, servers and clients alike, that are using the Internet. Since DNSSEC is implemented by way of software extensions to the DNS, however, some difficulty emerged in getting older systems properly updated in order to support the new methods. Still, the deployment of the DNSSEC methods began at the root level in late 2009 and early 2010, and many modern computer operating systems are equipped with the DNS security extensions.