BIND 9 and DNSSEC

The DNS of RFCs 1034 and 1035 is secure in the same way IPv4 is—not very. You must be able to trust people, which you could on the Internet of 10 years ago, but now this has turned out to be a bit of a liability. On the other hand, if the root servers sign their query answers with known keys so you could check that the answers were unaltered and from a legitimate root server, it's a different situation. Additionally, if they also provide the public key of the nameserver to which they refer you, so that when, in turn, the answer comes back from that server you can verify that the answer is legitimate and unaltered, you have a new situation. You can trust DNS in a new way. Of course, this will still not stop people from entering ...

Get Concise Guide to DNS and BIND, The now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.