如何使用HSM協助DNSSEC (Domain Name System Security Extensions)保護DNS資料
The Domain Name Service (DNS) is the backbone of the Internet. It is a global address book for computers, and resolves Website addresses to specific IP addresses, enabling computers across
the Internet to exchange information, such as Web pages and files.
However, DNS is vulnerable to attack. For example, an attacker can interfere with DNS responses, redirecting data to their own computers for malicious gain. The Domain Name Service
Security Extension (DNSSEC) is an extension to DNS that addresses this problem. DNSSEC uses Public Key Infrastructure (PKI) techniques to validate the DNS lookup response and so
maintain the integrity of the DNS address book.
For DNSSEC to function properly, it is essential that private keys, the Zone Signing Key and Key Signing Key, are protected. Typically, the DNS server stores these keys in software within the
same DNS appliance. However, this provides only limited security. The only way to properly secure the private keys is to store them in a Thales nCipher product line Hardware Security
Module (HSM). Because the keys never leave the HSM, they are never exposed on the host computer and therefore not potentially available to an attacker. Moreover, the HSM is highly
resistant to physical tampering.
This guide explains how to store private DNSSEC keys within an HSM, and how to integrate the HSM with the Internet Systems Consortium (ISC) BIND DNS server and OpenSSL. This guide
does not give a detailed explanation of the protocol, but does provide references to sources that give a more in depth explanation of DNSSEC and BIND.
歡迎各大ISP業者及擁有NDS Server的大型企業或銀行來電索取這份資料: nCipher HSM integration guide for ISC BIND DNSSEC
玉山科技 版權所有 © Copyright AsiaPeak 2006, All Rights Reserved