DNSSEC Management
Solutions |
|
Xelerance DNSX Secure Signer
Xelerance DNSX Secure Signer is a pro-active DNSSEC management solution. It relieves the DNS administrator of the burden
of the additional DNSSEC management requirements. DNSX Secure signer avoids human error by automating these tasks, ensuring timely updates of keys and domain signatures as well as providing early notification of the few remaining manual tasks required.
What does DNSSEC provide?
DNSSEC provides extensions to the regular DNS for authentication
via digital signatures. DNSSEC shuts the door on DNS exploits such
as DNS cache poisoning attacks and DNS hijacking of domains.
It facilitates the DNS to be used as a secure distributed public database for third party applications that require authenticated DNS records, such as those used in spam-prevention (SPF records), secure remote login (SSHFP records), establishing large VPN deployments (IPSECKEY records) and LDAP or Active Directory related DNS records.
What does DNSSEC involve?
DNSSEC involves the creation and regular maintenance
of cryptographic keys for domains. These keys are used to digitally sign all DNS records. If any DNS record in a domain changes,
the entire domain needs to be resigned using the DNSSEC keys
and uploaded to the nameserver. All domains need to be resigned with the DNSSEC keys at least once a month.
DNSSEC also requires continuous communication to the toplevel domains. Signed domains that have an expired signature, an old
or missing key, will completely vanish from the internet.
To complicate things further, there is no “flag day” for DNSSEC.
Over the next few years, all the top-level domains will become
DNSSEC enabled, and when they do, DNS administrators should support DNSSEC on those domains.
These regular administrative requirements significantly increase
the chance of human error.
DNSX Secure Signer allows you to handle the increased DNSSEC administration without the cost of additional staff.
Download Data Sheet
Xelerance DNSX Secure Resolver
Xelerance DNSX Secure Resolver is a DNSSEC caching and resolving nameserver with full support for DNSSEC Lookaside Verification (DLV). It features the latest in hardening and security measures for DNS and provides an intuitive web management interface, making configuration and key management easy.
Advanced DNS Features
In addition to the basic DNS resolving and DNSSEC validation, DNSX Secure Resolver protects against cache poisoning and DNS spoofing attacks, as seen with the now infamous Kaminsky attack.
It protects against DNS rebinding and Domain Fast Flux attacks and includes countermeasures to prevent abuse in a DNS amplification or DNS reflection attack.
In the fast paced world of the internet it is important to not only be current, but to look ahead, DNSX Security Revolver includes support for some internet drafts which have not yet, or very recently, turned into RFC standards. These include draft-vixie-dnsext-dns0x20-00 and draft-wijngaards-dnsext-resolver-side-mitigation-01 and the DNS resilience recommendations from RFC-5452.
DNSSEC Features
DNSX Secure Resolver is designed to work with a signed or unsigned root and supports the ICANN (IANA) 'Interim Trust Anchor Repository" for TLD's. It supports a customizable DLV Registry which defaults to the Internet Software Consortium DLV Registry.
It implements RFC-5011 for Trust Anchor rollover procedures used for updating DNSSEC keys. In addition, custom or company DNSSEC keys can be maintained according to local policy.
Download Data Sheet
|
|
|
|
