Utimaco Bind 9, Руководство по интеграции

Страница: 4 / 20

Integration Guide: Bind 9
1 Introduction
This paper provides an integration guide explaining how to integrate a Hardware Security Module
(HSM) - CryptoServer - with the BIND 9.10 server on a Linux or Microsoft Windows operating system
platform. Configuration details - especially to domain name system configuration - that goes beyond
normal configuration for the integration of hardware security module are not explained in this docu-
ment. For further information to configure and setup BIND for a domain name system, it is referred
to the documents and information of ISC 1 .
1.1 Concepts
The Domain Name System (DNS) is a hierarchical naming system built on a distributed database
for computers, services, or any resource connected to the Internet or a private network. Most im-
portantly, it translates domain names meaningful to human-readable identifiers into the numerical
identifiers associated with networking equipment for the purpose of locating and addressing these
devices worldwide. Often the Domain Name System is compared with the phone book of the world-
wide internet. The original design of the Domain Name System did not include any security. Instead,
it was developed as a simple scalable distributed system.
The Domain Name System Security Extensions (DNSSEC) attempts to add security, while maintain-
ing backwards compatibility to the existing Domain Name System. The RFC 3833 attempts to doc-
ument some of the known threats to the DNS and how DNSSEC tries to responds to those threats.
DNSSEC was designed to protect Internet resolvers from forged DNS data, such as that created by
e.g. DNS cache poisoning. All answers from DNSSEC enabled domain name system are digitally
signed. By verifying the digital signature, a DNS resolver is able to check if the information is correct
and complete to the information on the authoritative domain name server. While protecting IP ad-
dresses is the immediate concern for many users, DNSSEC can protect other information such as
general-purpose cryptographic certificates too. Basically cryptographic keys are used to sign domain
name related information’s. The keys require extensively protection against being stolen or corrupted.
A hardware security module is the best solution in maintaining highest security and performance for
the protection of those keys.
1
ISC - http://www.isc.org
Page 4