This section describes how to configure and deploy Domain Name System Security Extensions (DNSSEC) and signing policies, how to configure and manage DNSSEC using a Hardware Security Module (HSM), and conceptual and reference information on DANE (DNS-based Authentication of Named Entities) and TLSA records .
DNS was developed in a time when the Internet was much smaller and more friendly than it is today. It is based on an implicit trust between the client and the DNS server: the client trusts that the DNS server is authentic and that the data returned is valid. As the Internet grew, the DNS model left itself prone to attacks by malicious users who would hijack the DNS server or intercept and spoof the data.
DNSSEC is a set of security extensions introduced to address security risks within DNS. DNSSEC solves the gap in DNS security by authenticating the host and data using public key cryptography. By verifying zone data and verifying the key used to sign the zone data, DNSSEC ensures the host is authentic and that the data sent has not been tampered with. DNSSEC all but eliminates cache poisoning and similar attacks by proving ownership of the zone data.