In 1983 when DNS was invented, security did not play an important role. Till this day, classical DNS has no built-in security. Hence, the DNS protocol has several known vulnerabilities: -no integrity checks of data -no authenticity between client and server -no authenticity between servers. This is where the DNS Security Extensions (DNSSEC) come into operation.

The major objective of this project is the installation and test of an isolated environment with DNSSEC for the zone dnssec.test.

Our DNSSEC environment basically consists of two DNS servers, one forwarding server and a test client. Each server is running BIND 9.3.4 with DNSSEC support. For zone transfers between the primary and secondary DNS server Transaction Signatures (TSIG) are used. A HMAC-MD5 Hash guarantees authenticity and integrity of transferred data. DNS requests and responses are secured by DNSSEC more precisely by digital signatures.

For registrars and big organisations, Zone Walking is still the crucial point not to use DNSSEC. As DNS information is basically public, the question arises how dangerous a revelation of a zone file could be. In our opinion the advantages outweigh authenticity and integrity of data.