DNSVAULT 5.0
  • Introduction
  • Central Management
  • Fabric Management
  • Node Management
  • Service Management
    • DNS
      • Overview
      • Views
        • Zone
          • Inverse
            • Info
            • Host
            • SOA
            • NS
            • Nodes
            • Statements
            • DNSSEC
            • Logs
          • Reverse
            • Info
            • Host
            • SOA
            • NS
            • Nodes
            • Statements
            • DNSSEC
            • Logs
          • Response Policy
            • RPZ Zone
              • Info
              • Policies
              • Statements
              • Feed
        • Statements
        • Rate Limit
        • Fetch Limit
        • NXDomain Redirect
        • Bulk Upload
        • Attach Master Node
        • Attach Slave Node
        • Resource Record Service Option
        • Permission
        • Manage
      • TSIG
      • ACL
      • Servers
      • Options
      • Templates
  • Reports
Powered by GitBook
On this page

Was this helpful?

  1. Service Management
  2. DNS
  3. Views
  4. Zone
  5. Reverse

DNSSEC

PreviousStatementsNextLogs

Last updated 3 years ago

Was this helpful?

DNSSEC (zone integrity) allows us to be certain we reach the right place-we get the right IP address. It does this by providing three key services:

  • Source Authentication. We can prove that the DNS data about a domain can only have originated from the domain's authoritative DNS servers.

  • Data Integrity. We can prove that the data received was the same as the data sent from the domain's authoritative DNS servers, even if it is subsequently obtained from an intermediate DNS caching service.

  • Proof of Non-Existence (PNE). In cases where a negative response is obtained (the name does not exist), we can prove that this is correct and that it came from the domain's authoritative DNS servers. The reason for this functionality may not appear all that obvious. But depending on an attacker's motivation, it may be enough to spoof responses indicating, for example, that your web site does not exist. DNSSEC stops this kind of attack through its quaintly named Proof of Non-Existence (PNE) capability.