DNS security

DNS security at CSAIL

DNSsec is a technology for ensuring the authenticity of DNS information using public-key signatures. It does not provide confidentiality of requests. Currently, the mit.edu domain is not signed, nor are the 18.in-addr.arpa and 0.4.3.0.6.2.ip6.arpa (reverse mapping) domains. The csail.mit.edu domain is signed, as are all of the reverse mapping zones used by CSAIL, but these signatures can only be verified by a client that has the appropriate public keys configured as trust anchors. Systems running CSAIL Ubuntu are pre-configured to verify signatures for CSAIL domains. The recursive resolvers (ns0, ns1, ns2, and ns3) are also configured in this way, but lacking a secure channel to the recursive resolver, clients should not treat results from these servers as authenticated.