DNS Security

At the pinnacle of the Domain Name System (DNS) hierarchy server clusters carry the DNS root zone data. Web applications like eCommerce, SaaS, social networking, and even email rely on DNS. Unfortunately, DNS security is essential as DNS contains unsecured and vulnerable caching name servers that are easy targets for hackers to hijack Web traffic containing sensitive data.

The solution recommended by the DNS developer community is DNS Security Extensions (DNSSEC) which uses digital signatures and public-key encryption to allow Web servers to verify their website domain names and corresponding IP addresses. DNS root zones are in urgent need of being digitally signed as delay is detrimental to the ongoing integrity of the Internet, eCommerce and Web applications. Signing the zones would in effect configure the caching name servers to become security aware.

SafeNet hardware security modules (HSMs) meet the demanding requirements for robust security and availability required to ensure integrity of the domain name space. HSMs are dedicated systems that physically and logically secure the cryptographic keys and cryptographic processing that are at the heart of digital signatures. HSMs secure the DNS server so the generation of keys, the storing of the private key, and the signing of zones is performed on a DNS server that physically secure and whose access is restricted to essential personnel only.

SafeNet Key Management for DNS Security

• Supports DNSSEC Anchor Trust systems
• Key security for root and entire DNS hierarchy -ZSK and KSK
• Powerful cryptographic engine offloads cryptographic burden from DNS server
• Broad array of HSMs fits multiple DNSSEC requirements
• Standard APIs including PKCS#11, Java, MS CAPI
• FIPS validated and Common Criteria certified models available
• Integrates with leading DNS platforms such as OpenDNSSEC, BIND 9.7, FreeBSD

• General Purpose HSM, Embedded
• General Purpose HSM, Network Attached