OpenDNSSEC 1.3.9 发布,安全 DNS 解决方案
openkk 12年前
<p><a href="/misc/goto?guid=4958344785008141381" target="_blank">OpenDNSSEC</a> 是一个实现了 DNSSEC 的开源解决方案,用来在发布到认证的域名服务器之前保护 zone 数据。</p> <p>Domain Name System Security Extensions (DNSSEC)DNS安全扩展,是由IETF提供的一系列DNS安全认证的机制(可参考RFC2535)。它提供了一种来源鉴定和数据完整性的扩展,但不去保障可用性、加密性和证实域名不存在。</p> <h3>Overview</h3> <ul> <li>Single piece of software for signing DNS zones that can be seamlessly integrated into an existing system without needing to overhaul the entire existing infrastructure.</li> <li>Can be configured to sign zone files or to sign zones transferred in via AXFR.</li> <li>Fully automatic – once set up, no manual intervention is needed.</li> <li>Possibility of manual key rollover (emergency key rollover).</li> <li><strong>Open source</strong> software supplied with a <strong>BSD</strong> license so suppliers of commercial products can use the open source code in them whilst retaining the IPR of their own software.</li> </ul> <h3>Scalable</h3> <ul> <li>Able to sign zones containing anything from a few records up to millions of records.</li> <li>Single instance of OpenDNSSEC can be configured to sign one or many zones.</li> <li>Keys can be shared between zones inorder to save space in the HSM.</li> </ul> <h3>Flexible</h3> <ul> <li>Able to define zone signing policy (length of key, key lifetime, signature interval etc.); can set the system up for anything between one policy to cover all zones to one policy per zone.</li> <li>Works with all different versions of the Unix operating system</li> </ul> <h3>Secure</h3> <ul> <li>OpenDNSSEC stores sensitive cryptographic data in an HSM, communicating with it using the industry-standard PKCS#11 interface.</li> <li>SoftHSM – a software emulation of an HSM – is available if use of an HSM is not necessary, or to set up a DNSSEC testbed before purchasing a real HSM.</li> <li>Facility to check whether HSMs are compatible with OpenDNSSEC.</li> <li>Includes an auditing function that compares the incoming unsigned zone with the outgoing signed zone, so you can check that no zone data has been lost and that the zone signatures are correct.</li> <li>Supports RSA/SHA1 and SHA2 signatures</li> <li>Denial of existence using NSEC or NSEC3</li> </ul> <p><br /> OpenDNSSEC 1.3.9 发布,该版本改善了 Enforcer 的数据库访问性能,简化 ods-ksmutil 删除 zone 的操作等。</p>