Domain Name System Security Extensions

The Domain Name System Security Extensions (DNSSEC) are a suite of IETF specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers):


 * Origin authentication of DNS data
 * Data integrity (but not availability or confidentiality)
 * Authenticated denial of existence

It is widely believed that securing the DNS is critically important for securing the Internet as a whole, but deployment of DNSSEC specifically has been hampered by the difficulty of:


 * 1) Devising a backward-compatible standard that can scale to the size of the Internet
 * 2) Preventing "zone enumeration" where desired
 * 3) Deploying DNSSEC implementations across a wide variety of DNS servers and DNS clients (resolvers)
 * 4) Disagreement among key players over who should own the TLD (e.g., .com, .net) root keys
 * 5) Overcoming the perceived complexity of DNSSEC and DNSSEC deployment

Some of these problems are in the process of being resolved, and deployments in various domains have begun to take place.