Domain Name System Security Extensions (DNSSEC)

The original DNS protocol did not support security, making DNS vulnerable to attacks such as packet interception, spoofing, and cache poisoning, potentially compromising all future communications to a host. DNSSEC provides a means to secure DNS data by using digital signatures and public key cryptography.

DNSSEC allows a resolver or name server to verify the authenticity and integrity of DNS response data by establishing a “chain of trust” to the source of the DNS data and validating the digital signatures.

The main function of DNSSEC is to protect the user from forged data.
  • Validate the origin of a DNS response
    • Trust that the data came from the expected source
  • Validate the integrity of a DNS response
    • Trust that the data itself is correct
  • Validate denial of existence
    • Trust a “no records to return” response
DNSSEC does not provide any of the following functions:
  • Encryption of data (for example, SSL)
  • Protection from denial of service attacks
  • Protection from going to phishing sites

DNSSEC support in the IBM® i resolver can be enabled by using the Change TCP/IP Domain (CHGTCPDMN) command. In DNSSEC terms, the IBM i resolver is a non-validating security-aware stub resolver. This means that when DNSSEC is enabled, the IBM i resolver sets the DNSSEC OK bit in its query messages to indicate that it can handle DNSSEC fields in responses. However, it relies on the name server to do the actual authentication and validation of the DNS response data. This dependency implies that to have a secure DNS solution, IBM i must trust the name server and also have a secure communication channel to the name server. One option to secure the communication channel is to configure the DNS server on the same partition as the resolver and have them communicate via the loopback address (127.0.0.1 for IPv4 or ::1 for IPv6). Another option is to use IP Security (IPSec) to secure the communication channel between IBM i and the name server.

For more information about the IBM i DNS server, see Domain Name System.

For more information about DNSSEC, see the following RFCs, which you can locate from the RFC Search EngineLink outside the information center page.

  • RFC 4033: DNS Security Introduction and Requirements
  • RFC 4034: Resource Records for the DNS Security Extensions
  • RFC 4035: Protocol Modifications for the DNS Security Extensions