source:docs/arrow-in-arrow-out2.png

OpenDNSSEC was created as an open-source turn-key solution for DNSSEC. It secures zone data just before it is published in an authoritative name server.

Below:

Why DNSSEC?

Many internet protocol hinge on DNS, but the data in DNS caches has become so vulnerable to attack that it cannot be relied upon anymore. The added authenticity in DNSSEC makes sure that such attacks have no effect. That is, if

  • Zones are verified. Easy-to-deploy software for DNSSEC-aware name resolving (and caching) exists, for example Unbound or properly configured Bind9.
  • Zones are secured. Easy-to-deploy solutions for DNSSEC did not yet exist, at least not in open source. Hence the OpenDNSSEC project.

More on the problems with DNS and about deploying DNSSEC can be found in this white paper.

Note: At present, the relationship between a secure zone and its parent cannot be automatic, in lieu of standards. This means that you will be required to communicate with your parent zone registrar about once a year, with any DNSSEC product.

What does OpenDNSSEC do?

OpenDNSSEC takes in unsigned zones, adds the signatures and other records for DNSSEC and passes it on to the authoritative name servers for that zone.

DNS is complicated, and so is digital signing; their combination in DNSSEC is of course complex as well. The idea of OpenDNSSEC is to handle such difficulties, to relieve the administrator of them after a one-time effort for setting it up.

The storage of keys is done through a PKCS #11 standard interface. To deploy OpenDNSSEC, an implementation of this interface is needed, for example a software library, an HSM or perhaps a simpler token.

Where to get OpenDNSSEC?

We are currently building the compontents that will form OpenDNSSEC. We expect to have a first version available for review by May 2009 and fully tested by the end of June 2009.

We will be supplying source code for Unix, which should also build on Windows with CygWin. We will not be supplying packages, but are welcoming package builders that are motivated to build and maintain packages for our source code releases.

The following are the deliverables from the project:

  • DNSSEC Signer: The OpenDNSSEC implementation, expected to run on top of a PKCS #11 implementation, like an HSM.
  • SoftHSM : A software-only implementation of an HSM, made available through the industry standard PKCS #11 interface. This software is compatible with the DNSSEC Signer.
  • HSM market selection: A comparison between a number of HSM devices. This is intended to give a rough idea about the kinds of devices available on the market, in terms of speed, price, configuration.

What is the progress of OpenDNSSEC development?

Please visit the following resources for more details about development:

Who are involved in OpenDNSSEC?

OpenDNSSEC development is developed by the following parties: