Blog/content/posts/2016-07-21-my-take-on-dnssec-part-1-why-do-i-need-that.md
2017-10-09 17:37:37 +02:00

31 lines
2.1 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: 'My take on DNSSEC Part 1: Why do I need that?'
author: eNBeWe
type: post
date: 2016-07-21T21:06:59+00:00
url: /2016/07/21/my-take-on-dnssec-part-1-why-do-i-need-that/
categories:
- Internes
- Serveradministration
tags:
- DNS
- DNSSEC
---
[DNS][1] is probably one of the most important protocols on the internet. Everybody uses it countless times each day, usually without even noticing it. Every time somebody visits any website, every time somebody sends a mail, every time somebody wants to do literallly ANYTHING on the internet, a DNS server is involved.
<!--more-->
What it does is fairly straightforward: It is a dictionary of domain names (like enbewe.de or example.com) and the associated IP address (like 203.0.113.17 or 2001:DB8::12). If a user wants to access a website at a certain domain, the browser first queries a DNS server for the IP address  of the domain and then connects to the server with that address. Essentially it is a [phonebook][2] for the internet.
Sadly the protocol is about as ancient as it can be in the internet, being developed in 1983. During these early days, nobody designed protocols to be protected against malicious attacks. For this reason DNS is horribly insecure and a largs-scale attack on the internet could probably render the entire internet unusable [(for some time)][3]. But it can also be compromised in more subtle ways, i.e. directing users to wrong servers for phishing attacks.
To improve the situation, the DNSSEC protocol has been developed. It could be argued that DNSSEC is [far from perfect][4] but at least it is a step in the right direction. For this reason I want to talk a bit about DNSSEC, what it does, how I use it on my server and how it can be used in clients.
But that will start in [part 2][5] ...
[1]: https://en.wikipedia.org/wiki/Domain_Name_System
[2]: https://en.wikipedia.org/wiki/Telephone_directory
[3]: http://royal.pingdom.com/2007/02/15/how-the-internet-could-come-to-a-st/
[4]: http://sockpuppet.org/blog/2015/01/15/against-dnssec/
[5]: {{< relref "2016-08-24-my-take-on-dnssec-part-2-how-does-it-work.md" >}}