Week 4: Domain Name System Security



  • History of DNS security
  • Chain of trust
  • Signatures and keys
  • Delegation signers
  • Proving negative replies
  • Wildcards and empty non-terminals


  • Setting up your own secure domain
  • Delegating secure subdomains



  • RFC 4033, DNS Security Introduction and Requirements
  • RFC 4034, Resource Records for the DNS Security Extensions
  • RFC 4035, Protocol Modifications for the DNS Security Extensions
  • RFC 5011, Automated Updates of DNS Security (DNSSEC) Trust Anchors
  • RFC 5155, DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
  • RFC 6781, DNSSEC Operational Practices, Version 2
  • RFC 6840, Clarifications and Implementation Notes for DNS Security (DNSSEC)
  • RFC 6841, A Framework for DNSSEC Policies and DNSSEC Practice Statements
  • RFC 6944, Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm Implementation Status
  • RFC 7129, Authenticated Denial of Existence in the DNS
  • RFC 7344, Automating DNSSEC Delegation Trust Maintenance
  • RFC 7583, DNSSEC Key Rollover Timing Considerations
  • RFC 7626, DNS Privacy Considerations
  • RFC 7646, Definition and Use of DNSSEC Negative Trust Anchors
  • RFC 8027, DNSSEC Roadblock Avoidance
  • RFC 8078, Managing DS Records from the Parent via CDS/CDNSKEY
  • RFC 8145, Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC)
  • RFC 8198, Aggressive Use of DNSSEC-Validated Cache
  • RFC 8509, A Root Key Trust Anchor Sentinel for DNSSEC

This topic does not exist yet

You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on “Create this page”.