[Editor's note: Below is an overview of DNSSEC written for a non-technical audience, however, it assumes some basic knowledge of the Domain Name System (DNS) and public-key cryptography concepts. The point is to provide enough detail to allow us to understand how chosen technology and institutional design creates Internet governance dilemmas. If there is technical blunder, my apologies - by all means let me know. Clear concepts are a baseline for productive debate. And as I said previously, see the actual specifications (RFC 4033, 4034, 4035) or other reference material, e.g., Geoff Huston's article series or Ron Aithchison's work for more detailed technical explanations. Looking forward to your comments.]

What is DNSSEC?

DNSSEC is a proposed Internet standard that modifies DNS resource records and protocols to provide security for query and response transactions made between domain name resolvers and nameservers. Specifically, the security DNSSEC provides includes:

  • Integrity verification: a DNS resolver can determine that information received from a nameserver has not been tampered with in transit
  • Source authentication: a DNS resolver can determine that the information received originated from an authoritative nameserver
  • Authenticated denial of existence: a DNS resolver can verify that a particular query is unresolvable because no DNS record actually exists on the authoritative nameserver
    •    more »
    Keywords: ,