DNSSEC - BlueCat Integrity - 9.3.0

Address Manager Administration Guide

Product name
BlueCat Integrity

This section describes how to configure and deploy Domain Name System Security Extensions (DNSSEC) and signing policies, how to configure and manage DNSSEC using a Hardware Security Module (HSM), and conceptual and reference information on DANE (DNS-based Authentication of Named Entities) and TLSA records.

DNS was developed in a time when the Internet was much smaller and more friendly than it is today. It's based on an implicit trust between the client and the DNS server: the client trusts that the DNS server is authentic and that the data returned is valid. As the Internet grew, the DNS model left itself prone to attacks by malicious users who would hijack the DNS server or intercept and spoof the data.

DNSSEC is a set of security extensions introduced to address security risks within DNS. DNSSEC solves the gap in DNS security by authenticating the host and data using public key cryptography. By verifying zone data and verifying the key used to sign the zone data, DNSSEC ensures the host is authentic and that the data sent hasn't been tampered with. DNSSEC all but eliminates cache poisoning and similar attacks by proving ownership of the zone data.
Note: Starting in Address Manager v9.3.0, when DNS service is deployed or restarted due to a reconfiguration, you may notice additional DNS queries logged by the DNS server in syslog. This is caused by the changes in handling of the root zone trust anchor for DNSSEC validation. These messages do not impact service or performance.