This section describes how to configure and deploy Domain Name System Security
Extensions (DNSSEC) and signing policies, how to configure and manage DNSSEC using a
Hardware Security Module (HSM), and conceptual and reference information on DANE
(DNS-based Authentication of Named Entities) and TLSA records.
DNS was developed in a time when the Internet was much smaller and more friendly than it
is today. It's based on an implicit trust between the client and the DNS server: the
client trusts that the DNS server is authentic and that the data returned is valid. As
the Internet grew, the DNS model left itself prone to attacks by malicious users who
would hijack the DNS server or intercept and spoof the data.
DNSSEC is a set of security extensions introduced to address security risks within DNS.
DNSSEC solves the gap in DNS security by authenticating the host and data using public
key cryptography. By verifying zone data and verifying the key used to sign the zone
data, DNSSEC ensures the host is authentic and that the data sent hasn't been tampered
with. DNSSEC all but eliminates cache poisoning and similar attacks by proving ownership
of the zone data.
Note: Starting in Address Manager v9.3.0, when DNS service is deployed
or restarted due to a reconfiguration, you may notice additional DNS queries logged
by the DNS server in syslog. This is caused by the changes in handling of the root
zone trust anchor for DNSSEC validation. These messages do not impact service or
performance.