BuildingTrustIntoDNS_WP__EN__web by SafeNetInc


                                   Building Trust into DNS: Key Strategies
                                   WHITE PAPER

Executive Summary                  For all the benefits of an open Internet, there is a dangerous flip side. Domain name system
DNSSEC represents a vital          (DNS) servers are a perfect case in point. With no inherent security, DNS servers at a host of
means with which to address        organizations have been repeatedly compromised to enable a host of malicious endeavors,
many security threats, including   including cache poisoning (injecting incorrect/fraudulent data into a name server’s cache,
cache poisoning, man-in-the-       which then gets served to users), redirecting phone calls, man-in-the-middle attacks to steal
middle attacks, and more. But      passwords, rerouting email, denial of service attacks, and more.
the DNSSEC infrastructure
is only as secure as the           To combat these threats, many organizations have implemented Domain Name Systems
cryptographic keys used to         Security Extensions (DNSSEC), the process of digitally signing DNS records in order to ensure
protect DNS records. This paper    that the messages received are the same as those that were sent.
reveals important strategies       By adopting DNSSEC, a range of organizations, including domain providers, online banks and
for maximizing DNSSEC              retailers, SaaS providers, and more, can realize a range of benefits:
security, outlining the key role
HSMs play and the critical           • Boost security. DNSSEC can help guard against cache poisoning, redirected phone calls,
requirements for successful HSM        man-in-the-middle attacks, and more.
implementations.                     • Ensure compliance. DNSSEC can help address ICANN, NSEC, and other mandates and

                                     • Reduce costs. By safeguarding against a range of network based threats, organizations
                                       can reduce the time and cost associated with threat mitigation and post-attack forensics
                                       and reparation.

                                   Without Robust Security, DNSSEC Can Be Compromised
                                   In addition to several new concepts and operations for both the DNS server and the DNS
                                   client, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC, and DS) to
                                   DNS. What this means is that DNSSEC requires some new procedures such as key generation,
                                   signing, and key management. But, for all the potential DNSSEC benefits outlined above,
                                   the intended gains aren’t guaranteed because the resource records introduced by DNSSEC
                                   are kept in an unencrypted file. It is only when the entire DNSSEC infrastructure is fully and
                                   comprehensively secured that organizations can begin to fully enjoy DNSSEC’s benefits. To do
                                   so, they need capabilities to do the following:

                                   Building Trust into DNS: Key Strategies White Paper                                              1
                            • Secure digital signatures. DNS messages need to be digitally signed in order to ensure the
HSM Advantages                validity of DNS services.
• Completeness
                            • Control access. Organizations need to ensure only authorized customers and internal staff
• Performance
                              can access sensitive applications and data.
• Compliant and Secure
• Centralization of Key     • Maintain application integrity. All associated application code and processes need to be
  Management                  secured to ensure integrity and prohibit unauthorized application execution.

                            • Scale to accommodate high volume processing. Since DNS updates are very frequent,
                              DNSSEC infrastructures need to deliver the performance and scalability required to ensure
                              timely processing at all times.

                          The Role of HSMs in DNSSEC
                          As outlined above, it is only by ensuring security throughout the DNSSEC infrastructure that
                          businesses can realize the benefits of DNSSEC. To ensure the validity of DNS services, DNSSEC
                          employs public key cryptography to digitally sign DNS messages.

                          To realize the security required, robust protection of private signing keys is vital. If the keys and
                          their corresponding digital certificates are compromised, the chain of trust in the DNS hierarchy
                          is broken, rendering the entire system obsolete. This is where hardware security modules (HSMs)
                          come into play.

                          HSMs are dedicated systems that physically and logically secure the cryptographic keys and
                          cryptographic processing that are at the heart of digital signatures. HSMs support the following

                            • Life-cycle management, including key generation, distribution, rotation, storage,
                              termination, and archival.

                            • Cryptographic processing, which produces the dual benefits of isolating and offloading
                              cryptographic processing from application servers.

                          By storing cryptographic keys in a centralized, hardened device, HSMs can eliminate the risks
                          associated with having these assets housed on disparate, poorly secured platforms. In addition,
                          this centralization can significantly streamline security administration.
                                                                                             DNS Root Server Cluster

                                                                                                                  HSM                         Authoritative Server Cluster
                                                              TLD Server Cluster                       *FIPS 140-2 Level 4 Validated

                                                                                               Root zone records signed by
                                                                                                   private key in HSM

                                                                                                                           2                              SafeNet HSM
                                                                                                                                                   Enterprise level zone key signed by
                                                                   SafeNet HSM                                                                      SafeNet HSM (

                                                                                                                                                           SafeNet HSM stores the cryptographic
                                                            TLD zone records signed by   3                                                    4            keys that sign the DNS records:
                                                                                                                                                           (DNSKEY, RRSIG, NSEC, and DS)
                                                            private key in SafeNet HSM

                                                                                         Recursive (Caching) Name Server

                                    1   Client initiates query for
                                        ISP Caching name server starts recursive
                                    2   search at root if no record found in cache.

                                        Recursive search referred to applicable
                                    3   TLD by root. If record does not exist in TLD
                                        zone query referred to the Authoritative
                                        server. (Simplified example – additional                                                       1
                                        zone searches may be required to identify
                                        Authoritative Name Server.)                      Client-Side
                                                                                         of the DNS                               DNS Query
                                    4   Authoritative Server responds with signed
                                        DNS zone record

                                        Recursive server returns verified IP address
                                    5   for “” to DNS client

                          The diagram above depicts the steps involved in securing DNS messages through the use of HSMs. By
                          safeguarding digital certificates and cryptographic keys, organizations can maximize the security of their DNSSEC

                          Building Trust into DNS: Key Strategies White Paper                                                                                                                     2
                         The Advantages of HSMs
SafeNet DNSSEC Benefits   Compared to the process of storing cryptographic keys in software residing on general purpose
• Enhance Security
                         application servers, HSMs deliver several advantages:
• Ensure Compliance
• Optimize Operational   Completeness
  Performance            HSMs are fully contained solutions for cryptographic processing, key generation, and key
                         storage. As purpose-built appliances, they automatically include the required hardware
                         and firmware (i.e., software) in an integrated package. Physical and logical protection of the
                         appliance is supported by a tamper resistant/evident shell; and protection from logical threats,
                         depending on the vendor’s products, is supported by integrated firewall and intrusion prevention
                         defenses. Some HSM vendors also include integrated support for two-factor authentication.
                         Security certification is typically pursued by HSM vendors and positioned as a product feature.

                         Software for these same functions is not a complete out-of-the-box solution. Server hardware is
                         a separate purchase, unless unused servers are present, as is firewall, intrusion prevention, and
                         two-factor authentication. Being tamper resistant is not a trait typically associated with general-
                         purpose servers. Security certification encompassing the combination of hardware platform
                         and software would be the responsibility of the user organization and can be a lengthy and
                         very costly activity, especially if involvement with certification bodies is not standard operating
                         practice for the organization using the software.

                         Cryptography is a resource intensive process that will introduce latency to any application that
                         depends on it. Depending on the application and organization involved, the objective could be
                         to minimize the latency introduced by cryptography. HSMs have an advantage over software as
                         they are designed to optimize the efficiency of cryptographic processing. Compared to software
                         running on general purpose servers, HSMs will accelerate processing; an outcome of being

                         Compliant and Secure
                         Frequently, cryptography is used to meet compliance mandates. Cryptography use, however,
                         does not guarantee that information is secure. Further, there are no security guarantees (i.e.,
                         promises of no security instances ever) with any security solution so the objective becomes one
                         of managing risk by reducing the number of vulnerabilities and the likelihood of vulnerabilities
                         being exploited. The aforementioned completeness attributes of HSMs allow organizations that
                         deploy HSMs to take efficient and simultaneous steps toward compliance and security.

                         Centralization of Key Management
                         An attribute of software is its portability; software can be installed on several servers.
                         Consequently, cryptographic keys have greater likelihood to reside in several locations/software
                         hosts. This multi-location characteristic will add to administrative complexity and potential
                         lapses in the life-cycle management of cryptographic keys (e.g., rotation and revocation). In
                         addition, if consistency in the protective layer of the software host (e.g., firewall, intrusion
                         prevention, and access control) cannot be ensured, the risk of keys being compromised
                         increases. With HSMs, the tendency is to store keys in a single unit. Not only does this streamline
                         administration and reduce the potential for management lapses but it also supports a
                         consistent layer of key protection.

                         Building Trust into DNS: Key Strategies White Paper                                                3
By leveraging HSMs, organization    The Benefits of DNSSEC with SafeNet
can enjoy the utmost in security    SafeNet offers a broad set of HSMs that are ideally suited to the demands of securing private
of the cryptographic keys and       signing keys. By employing SafeNet HSMs, organizations can realize a range of benefits:
digital certificates that underpin
                                    Enhance Security
the DNSSEC infrastructure.
                                    SafeNet HSMs deliver sophisticated security capabilities that enable businesses to enjoy
                                    maximum security of DNSSEC. SafeNet HSMs ensure the most rigorous control over keys and
                                    their corresponding digital certificate. As a result, organizations can eliminate the threats of
                                    DNS exploits, and the damage they can wreak.

                                    Ensure Compliance
                                    The Internet Engineering Task Force has published a comprehensive set of guidelines for
                                    ensuring DNSSEC security. For example, RFC 5011 outlines extensive standards for securing
                                    various points in the DNS tree, referred to as trust points. Each trust point must be validated
                                    by at least one associated public key. In addition, the guidelines specify a host of efforts for
                                    securely adding keys, rotating keys, and removing keys. With their robust encryption and policy
                                    management support, SafeNet HSMs enable organizations to ensure compliance with these

                                    Further, ICANN DNSSEC requirements state that private keys must be generated and stored on
                                    FIPS 140-2 validated HSMs. Many SafeNet HSMs meet these demanding FIPS requirements and
                                    many are also Common Criteria certified.

                                    Optimize Operational Performance
                                    By leveraging SafeNet’s secure HSMs, organizations can realize significant gains in operational

                                      • Improve staff efficiency. By centralizing keys and policy administration on a central,
                                        comprehensive platform, security teams can significantly streamline administrative efforts.
                                        Further, with an appliance that supports XML, SafeNet enables easier up-front HSM

                                      • Ensure high performance. By managing cryptographic processing on purpose-built
                                        appliances, SafeNet HSMs deliver scalable, responsive performance, ensuring the timely,
                                        reliable response required in DNSSEC environments.

                                      • Optimize key storage. With its support for the Elliptic Curve Digital Signature Algorithm
                                        (ECDSA), SafeNet enables more efficient storage of cryptographic keys.

                                      • Enhance customer service and loyalty. SafeNet HSMs safeguard the DNS infrastructure, so
                                        organizations can eliminate the DNS exploits that put customers at risk. By ensuring high
                                        levels of security, organizations can foster greater trust and loyalty among their customer

                                    SafeNet’s Breadth of HSM Offerings
                                    SafeNet HSMs provide reliable protection for applications, transactions, and information assets
                                    by safeguarding the cryptographic keys that are at the heart of any encryption-based security
                                    solution. SafeNet HSMs are the fastest, most secure, and easiest to integrate application
                                    security solution for enterprise and government organizations to ensure regulatory compliance,
                                    reduce the risk of legal liability, and improve profitability.

                                    SafeNet offers these HSM products:

                                    General Purpose HSMs, Network Attached
                                     • Luna SA. Luna SA offers award-winning application protection through powerful
                                       cryptographic processing and hardware key management. Luna PCI for Luna SA 4.1 has
                                       received Common Criteria EAL4+ certification.

                                    Building Trust into DNS: Key Strategies White Paper                                                4
                                • Luna SP. The SafeNet Luna SP allows developers to securely deploy Web applications, Web
By adopting DNSSEC                services, and other Java applications in a protected, hardened security appliance.
organizations can realize a
range of benefits including:     • Luna XML. SafeNet Luna XML is designed to secure next-generation XML Web services
• Boost security                  and service-oriented architectures (SOAs). Other HSMs take months to integrate with
• Ensure compliance               new applications due to complex security APIs. Luna XML has zero footprint on the
                                  host application server, providing for rapid, independent, flexible, and highly scalable
• Reduce costs

                                • ProtectServer External. The SafeNet ProtectServer External is a network-attached HSM
                                  that connects via TCP/IP to a single machine or complete network (LAN) to function as a
                                  central cryptographic subsystem that delivers symmetric and asymmetric cryptographic
                                  services. All operations that would otherwise be performed on insecure servers are
                                  securely processed within the HSM, ensuring that sensitive keys are always protected from

                                • Luna SX. The SafeNet Luna SX is a central management console for rapid HSM setup and
                                  easy remote administration for the SafeNet Luna SA and Luna SP. Using a simple GUI,
                                  SafeNet HSMs can be managed remotely and securely.

                              General Purpose HSMs, Embedded
                               • Luna CA4 HSM. The SafeNet Luna CA4 offers a complete hardware security solution for
                                 the protection of sensitive root keys belonging to certificate authorities used in public key
                                 infrastructures (PKI).

                                • Luna PCI. SafeNet Luna PCI is designed to protect cryptographic keys and accelerate
                                  sensitive cryptographic operations across a wide range of security applications.

                                • Luna PCM. SafeNet Luna PCM is a low-cost family of compact HSMs, offering hardware-
                                  based key management and hardware-accelerated cryptographic performance within a
                                  compact PCMCIA card.

                                • ProtectServer HSMs. For server systems and support applications that require high
                                  performance symmetric and asymmetric cryptographic operations, ProtectServer Gold and
                                  ProtectServer Internal-Express provide tamper-protected hardware security.

                              Today, DNSSEC represents a critical approach for guarding against a range of threats to Internet-
                              based communications. By leveraging HSMs, organization can enjoy the utmost in security of
                              the cryptographic keys and digital certificates that underpin the DNSSEC infrastructure. Today,
                              SafeNet offers a broad range of HSMs, solutions that accommodate the needs of a range of
                              deployments, and ensure organizations enjoy maximum security in their DNSSEC environments.

                              About SafeNet, Inc.
                              Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its
                              customers’ most valuable assets, including identities, transactions, communications, data
                              and software licensing, throughout the data lifecycle. More than 25,000 customers across
                              both commercial enterprises and government agencies and in over 100 countries trust their
                              information security needs to SafeNet.

                              Contact Us: For all office locations and contact information, please visit
                              Follow Us:
                              ©2010 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet.
                              All other product names are trademarks of their respective owners. WP (EN)-11.29.10

                              Building Trust into DNS: Key Strategies White Paper                                                       5

To top