[SAC001]: DNS Security Reading List
I often get asked for background reading on the Internet's naming and address address allocation systems. So I've started to pull together a collection of links to documents and sites that I've found helpful in discussions about the security/integrity/resilience of the Internet's domain name system, along with some basic primers on Internet architecture. Suggestions and recommendations are avidly invited -- particularly for non-US resources.
-- Andrew
Internet Architecture
- The Internet's Coming of Age (Committee on the Internet in the Evolving Information Infrastructure, Computer Science and Telecommunications Board, National Research Council) [2001]
(Great in-depth introduction to how the Internet works & current issues of scaling, assuring integrity, robustness, etc.)- RFC 1958: Architectural Principles of the Internet (B. Carpenter, editor) [June 1996]
Domain Name System (DNS):
- RFC 1591: Domain Name System Structure and Delegation (J. Postel) [March 1994]
- RFC 1035: Domain Names - Implementation and Specification (P. Mockapetris) [November 1987]
- RFC 1034: Domain Names - Concepts and Facilities (P. Mockapetris) [November 1987]
- DNS and BIND: Chapter 11 - Security (P. Albitz and C. Liu) [O'Reilly, May 2001]
- Cricket Liu's DNS Corner (Includes useful DNS Glossary and DNS Security pages)
Root Name Servers:
- RFC 2870: Root Name Server Operational Requirements (R. Bush, et al.) [June 2000]
- Root Name Server Year 2000 Status (D. Conrad, et al.) [July 1999]
Name Server Security:
- Securing An Internet Name Server (C. Liu)
DNS Security Extensions (DNSSEC):
- RFC 3130: Notes from the State-Of-The-Technology: DNSSEC (E. Lewis) [June 2001]
- RFC 3090: DNS Security Extension Clarification on Zone Status (E. Lewis) [March 2001]
- RFC 2541: DNS Security Operational Considerations (D. Eastlake) [March 1999]
- RFC 2536: DSA KEYs and SIGs in the Domain Name System (DNS) (D. Eastlake) [March 1999]
- RFC 2535: Domain Name System Security Extensions (D. Eastlake) [March 1999]
- DNSSEC - Design & Structure (E. Lewis) [May 1999]
- "Securing the Domain Name System" (D. Davidowicz and P. Vixie) [Network Magazine, January 2000]
- DNS Security - An Introduction (B. Wellington) [NAI Labs, January 1999]
- NLNetLabs DNSSEC Resources page
Very User-Friendly Introductions to the DNS:
- "How Domain Name Servers Work" (Marshall Brain)
General Internet Security Resources:
- RFC 2828: Internet Security Glossary (R.Shirey) [May 2000]
- W3C World Wide Web Security FAQ [September 2001]
- Security of the Internet (CERT) [1998]
- The Survivability Imperative: Protecting Critical Systems (R. Linger, et al.) [October 2000]
- Beyond Encryption (prepared by Marketa Morska, Office for the State Information System, Czech Republic, for the Information Society DG of the European Commission) [June 2000]
Governmental Communications:
- Letter from U.S. Secretary of Commerce Donald L. Evans to Vint Cerf [October 2001]
- "Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime" (Communication from the European Commission) [January 2001]
Organizations:
- Center for Education and Research in Information Assurance and Security (CERIAS) (Purdue Univ.)
- Forum for Incident Response and Security Teams
- Internet Engineering Task Force:
- IT-ISAC
- SANS (System Administration, Networking, and Security) Institute
Governmental agencies:
- Computer Security Resource Center (US)
- Critical Infrastructure Assurance Office (US)
- National Infrastructure Protection Center (US)
CERTs:
- AUSCERT (Australia)
- CAIS (Brazil)
- CanCERT (Canada)
- CARNet CERT (Croatia)
- CERT Coordination Center (US)
- CERT-IT (Italy)
- CERT-NASK (Poland)
- CERT-NL (Netherlands)
- CERT Renater (France)
- CERT-RU (Russia)
- CN CERT (China)
- DFN-CERT "Zentrum für sichere Netzdienste" GmbH (Germany)
- DK-CERT (Denmark)
- esCERT-UPC (Spain)
- Funet CERT (Finland)
- HK-CERT (Hong Kong S.A.R., China)
- ID-CERT (Indonesia)
- ISnet CERT (Iceland)
- IT-ISAC (US)
- JANET-CERT (United Kingdom)
- JP-CERT (Japan)
- KR-CERT (South Korea)
- Litnet CERT (Lithuania)
- MyCERT (Malaysia)
- NIC BR Security Office (Brazil)
- NORDUnet CERT (Nordic countries)
- PakCERT (Pakistan)
- RCCN-CERT (Portugal)
- SI-CERT (Slovenia)
- SingCERT (Singapore)
- SUNET-CERT (Sweden)
- SWITCH-CERT (Switzerland)
- TW-CERT (Taiwan)
- UNINETT CERT (Norway)