Data integrity protection is needed because DNS data flows could be compromised at any point between the various name servers, resolvers, or other intermediaries, and the corrupted data can remain in caches for extended periods of time.

To respond to these potential vulnerabilities, the technical community has over a number of years developed DNS Security Extensions (DNSSEC).4 DNSSEC adds data origin authentication and data integrity protection to the DNS. It aims to ensure that the recipient can validate that the data was sent from an authoritative source and that it arrived at its destination unchanged.

4.1.1 Mechanics of DNSSEC

DNSSEC provides end-to-end protection through the use of cryptographic digital signatures that are created by responding zone administrators and verified by a recipient’s resolver software. In particular, DNSSEC avoids the need to trust intermediate name servers and resolvers that cache or route the DNS records originating from the responding zone administrator before they reach the source of the query. DNSSEC also preserves the capacity for localized variations and independence within the DNS hierarchy.5

In DNSSEC, resource record sets (RRSets) 6 within a zone are signed based on the model of public-key cryptography.7 To support each signing operation, two keys are generated: a private key (to sign data) and the corresponding public key that is used to verify that the data were signed by the private key. The process of signing takes data to be signed and a private key as inputs to produce digitally signed data as the output.8 However, DNSSEC involves signing the hash value of an RRSet, rather


Defined in Roy Arends, Rob Austein, Matt Larson, Dan Massey, and Scott Rose, “DNS Security Introduction and Requirement,” RFC 4033, March 2005, available at <>.


For example, the control of the private and public keys remains within each respective zone.


Resource records that have the same label, class, and type are categorized as belonging to the same RRSet. See Box 3.2 for a detailed explanation of resource records.


For a review of public key cryptography and digital signatures, see Paul Albitz and Cricket Liu, DNS and BIND, 4th edition, Chapter 11, O’Reilly Media, Sebastopol, Calif., 2001; and Fred B. Schneider, editor, Computer Science and Telecommunications Board, National Research Council, Trust in Cyberspace, Chapter 4, National Academy Press, Washington, D.C., 1999.


The crucial property of the digital signature is that it could have been produced only by someone with access to the private key.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement