Product Description
DNSSEC Management
Highlights
Simplified signature of zones
Automated signing keys (ZSK and KSK)
generation, management and roll over
Guaranteed DNSSEC keys confidentia-
lity with SOLIDserver KeyRing
Automated Management of asymmetric
cryptography key, DNSSEC Resource
Records, Trust Anchors, and Delegation
Signers
NSEC and NSEC3 supported applying
denial of existence
DLV (DNSSEC Lookaside Validation)
www.efficientip.com
Why DNSSEC?
The DNS service is one of the most important Internet and
corporate network services, allowing the mapping of do-
main names to IP addresses. Without DNS, key applica-
tions simply do not work: web portals, e-mail, instant mes-
saging, applications and internet protocols all rely on DNS
to perform their operations.
Given this importance, DNS is a service which must be
secured against all kinds of threats, whether malicious at-
tacks or unintentional misconfigurations.
Over the last years several vulnerabilities have illustrated
the risks around DNS security. In 2008 Dan Kaminsky has
demonstrated that the cache of a name server can easily
be poisoned, enabling attackers to redirect users to a non-
official website. The IP address associated to a domain
requested by users is modified in the DNS cache the hac-
kers, in order to redirect users to the hackers website.
Then the hacker can steal confidential login and password
data before redirecting users to the real website.
There are many other examples which illustrate the impor-
tance of DNS data integrity, all related to everyday use.
The open source community has released patches and
new versions to remediate vulnerabilities and mitigate
risks. But the most effective solution to the cache poiso-
ning threat is to implement and deploy DNSSEC.
EfficientIP | Product Description DNSSEC MANAGEMENT

DNSSEC Principles EfficientIP Solution for DNSSEC

An important point to underline is that DNSSEC (DNS Se- EfficientIP provides a complete solution to easily deploy
curity Extensions) does not modify DNS protocol. DNS- and maintain DNSSEC.
SEC is an extension of DNS. Thus, it is possible to use
DNSSEC through standard DNS caches. A DNS client SOLIDserver enables you to manage your DNSSEC
which does not use DNSSEC can interact with a DNS ser- deployment from a centralized point, with full control over
ver which uses DNSSEC (and vice versa). enforcement of your standards through a user-friendly
Web interface. SOLIDserver eliminates complexity and
DNSSEC is a mechanism enabling the validation and au- the risk of errors due to command-line operations as well
thentication of the origin and integrity of DNS data. DNS- as tedious tasks.
SEC mechanisms are based on asymmetric cryptography
keys exchanged between the authoritative Name server
and DNS client or resolver. All keys generated are contai-
ned within the DNS zone with new RR types (resource
record). Each signed zone and RR is associated with two
cryptography keys, also known as a key pair:

C
 onfidential private key: This key is used to sign
data authenticity and integrity by signing the Re-
source Records Sets. This key is confidential.

P
 ublic key: This key is used to decrypt data that was
encrypted with the private key to verify data authen-
ticity and integrity.
Asymmetric Cryptography Key
P
 ublic and private are linked, but it is not possible to R
 SA/MD5, DSA, RSA/SHA1, RSA/SHA256, RSA/
find the other key by knowing only one of them. SHA512, DSA/SHA1/NSEC3, RSA/SHA1/NSEC3
T
 he data signed with a public key proves that it has F
 rom 512 to 4096 bits for SHA keys and 512 to 1025
been signed by the authentic private key. for DSA.

When a DNS client requests DNS records hosted in a sig- DNSSEC Resource Records
ned DNS zone it receives the requested RR and a digi-
tal signature of the RR created by the cryptographic key. SOLIDserver supports all required resource records to
The client checks the validity of the signature by reques- deploy and provide DNSSEC including Resource Record
ting the public key of the DNS server hosting the zone Signature (RRSIGs), DNSKEY, Next Secure Records
which should validate the signature. The validation of the (NSEC) and Next secure 3 Records (N3SEC).
DNS server as a true source is then performed thanks to
Trust Anchors. Zone Signing Keys (ZSK) Management
A
 utomated zone signing and re-signing after
DNSSEC delivers benefits in two key areas:
modifications of zone data
O
 rigin authentication: ensures that the DNS ans- Automated ZSK rollover (30 days by default)
wer is delivered by the official DNS server which is
Dual signature for key rollover process management
supposed to deliver the answer.
Validity period and TTL conformity management
Integrity checking: ensures that the DNS zone data
has not been modified by a third party, as it would Private key extraction
require the private key to do so. Pre-signed key automation
Alert on key expiration

2 www.efficientip.com
EfficientIP | Product Description DNSSEC MANAGEMENT

Key Signing Keys (KSK) Management

O
 verlapped zone signature for key rollover process
management
Validity period and TTL conformity management
Expiration time threshold alert
F
 ootprint key export for Trust Anchors and Delegation
Signers (DS)
Trusted key export
Alert on key expiration

Supports NSEC and NSEC3 applying denial of

existence

DLV: DNSSEC Lookaside Validation

Delegation Signers
A
 utomated DS creation at the SmartArchitecture
level
Key importation

Trust Anchors
Key exportation
Automated configuration
Footprint exportation

EfficientIP is fully compliant with RFCs related to

DNSSEC
R
FC 4033, DNS Security Introduction and
Requirements
R
 FC 4034, Resource Records for the DNS Security
Extensions
RFC 4035, DNSSEC Protocol Modifications
RFC 4641, DNSSEC Operational Practices
RFC 4956, DNS Security (DNSSEC) Opt-In
R
FC 5155, DNS Security (DNSSEC) Hashed
Authenticated Denial of Existence RFC 4033

ABOUT EFFICIENTIP EUROPE

EfficientIP SAS Copyright 2015 EfficientIP, SAS. All rights
EfficientIP solutions address organizations needs to 90 Boulevard National reserved. EfficientIP and SOLIDserver logo
drive business efficiency through the innovative use of 92250 La Garenne Colombes-France are trademarks or registered trademarks of
IT. Its unified management framework for DNS-DHCP- +33 1 75 84 88 98 EfficientIP SAS.
IPAM, devices and network configurations enhances
security, availability and agility of the IT infrastructure. USA All registered trademarks are property of
EfficientIPs solutions have been chosen by hundreds EfficientIP Inc. their respective owners. EfficientIP assumes
of the most demanding organizations across all 17 Wilmont Mews, Suite 400 no responsibility for any inaccuracies in this
industries. West Chester, PA 19382 document or for any obligation to update
www.efficientip.com +1 888-228-4655 information in this document.