It is a set of extensions to DNS which provide to DNS clients
(resolvers) origin authentication of DNS data, authenticated denial of
existence, and data integrity.
How does DNSSEC work?
DNSSEC works by digitally signing answers to DNS lookups using
public-key cryptography. By checking this, a security-aware DNS resolver
can then determine if the answer it received was correct (secure),
whether the authoritative name server for the domain being queried
doesn't support DNSSEC (insecure), or if there is some sort of
More info: http://training.nlnetlabs.nl/Documentation/dnssec_howto.pdf
Does DNSSEC support GOST encryption algorithms?
Yes, at this moment GOST cryptoalgorithms for DNSSEC are included to
Is DNSSEC available with certified crypto-products?
«MagPro DNS» is provided for those who needs to use the certified solution in Russian Federation.
This product relies upon the «MagPro CryptoPacket 2.0»
solution certification of which is now in progress.
There are two keys used for signing zone file: KSK and ZSK. Each of KSK and ZSK is composed of two parts: private and public keys. Pivate keys are used to sign and public are used for checking signature.
KSK is Key Signing Key and used to produce and check digital signatures for public part of ZSK.
ZSK is Zone Signing Key and used for signing and check all records (except DS) in zone served by DNS-server.
Signed zone files contain DS records which make resolver to be aware
that lower-level DNS-server is trusted by current DNS-server. This makes
so called «chains of trust».
Trusted key is a public part of KSK of DNSSEC enable DNS-server from
which starts your chain of trust. This is also called «trust
anchor». It is distributed through a website or e-mail.
How can I sign a zone?
For signing a zone you will need to generate KSK and ZSK and then
sign the unsigned zone.
There are two pairs of utilities for this purpuse: dnssec-signzone + dnssec-keygen (from BIND project by ISC) or ldns-signzone + ldns-keygen (from LDNS project by NLnet Labs).
You can find information on how to use them on this pages: Signing a zone with
«dnssec-signzone» Signing a zone with