DNSSEC integration into DNS service has become one of the main concerns for IT administrations. It is a complex operation that must be carefully planned and executed as any error could lead to serious network dysfunctions and costly correction measures. With SOLIDser­ver™, EfficientIP automates and simplifies DNSSEC integration thanks to a centralized and unified approach of DNS service management.

Why DNSSEC?

The DNS service is one of the most important services of Internet and corporate networks, allowing the mapping of domain names to IP addresses. Without DNS, key applications simply do not work: Web, e-mail, and instant messaging, applications and technologies like CRM, ERP, Active Directory Domain Services (AD DS) rely on DNS to perform their operations.

As a consequence DNS is a service which has to be secured against all kinds of threats either malicious attacks or unintentional misconfigurations. The open source community has released patches and new versions to correct vulnerabilities and mitigate risks but the true solution to cache poisoning threat is to implement and deploy DNSSEC.

DNSSEC Principles

An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension of DNS. Thus, it is possible to use DNSSec through standard DNS cache. A DNS client which does not use DNSSec can interact with a DNS server which uses DNSSEC (and vice versa).

DNSSEC is a mechanism enabling the validation and authentication of the origin and integrity of DNS data. DNSSEC mechanisms are based on asymmetric cryptography keys exchanged between the authoritative Name server and DNS client or resolver. All keys generated are contained within the DNS zone with new RR types (resource record). Each signed zone and RR is associated to two cryptography keys, also known as “key pair”:

• Confidential private key: This key is used to sign data authenticity and integrity by signing the Resource Records Sets. This key is confidential.
• Public key: This key is used to decrypt data that was encrypted with the private key to verify data authenticity and integrity.
• Public and private are linked but it is not possible to find the other key by knowing only one of them.
• The data signed with a public key proves that it has been signed by the true private key.

When a DNS client requests a DNS records hosted on a signed DNS zone it receives the requested RR and a digital signature of the RR created by the cryptographic key. The client checks the validity of the signature by requesting the public key of the DNS server hosting the zone which should validate the signature. The validation of the DNS server as a “true source” is then performed thanks to “Trust Anchors”.

DNSSec brings benefits in two key points:

• Origin authentication: ensures that the DNS answer is delivered by the official DNS server which is supposed to deliver the answer.
• Integrity checking: ensures that the DNS zone data has not been modified by a third party as it would require the private key to do so.

It is important to note that DNSSEC does not supply a solution for data confidentiality but only a validation of DNS data authenticity and integrity. All information exchanged is not encrypted; it is only the signature which is encrypted.

EfficientIP Solution for DNSSEC

SOLIDser­ver™ enables you to manage your DNSSEC deployment from a centralized point, with full control of the enforcement of your standards through a user-friendly Web interface. SOLIDserver™ eliminates complexity and the risk of errors due to command-line operations and laborious tasks.

DNSSEC SOLIDserver™ key features: