Designed to protect DNS clients from forged DNS data that is the result of a DNS attack, such as cache poisoning, BlueCat's DNSSEC functionality signs all DNS requests on the authoritative server, using a digital signature. When a DNS client requests a DNS record, it can verify that the record received is identical to the record on the authoritative server.
In the event that an unauthorized user tries to exploit a U.S. federal government agency's DNS server, the altered record will not be verified as it has not been signed using the digital signature. This prevents users from receiving poisoned DNS, and increases the reliability of records received from DNSSEC-enabled DNS servers.
"As high-profile incidents such as the Kaminsky exploit in 2008 underscore, U.S. federal government must take every precaution to ensure networks are secure," said Gene Skiba, VP U.S. Public Sector for BlueCat Networks' dedicated U.S. Public Sector Group in Reston, Virginia. "BlueCat has always been at the forefront of DNSSEC innovation, and this latest functionality will make it simpler than ever before for U.S. federal government agencies to fully comply with all U.S. federal government standards," Skiba continued. "BlueCat has been gaining significant traction in the U.S. federal government space, and given the fact that DNSSEC usage is increasing, and that the U.S. federal government plans to sign the .gov and .mil domains by the end of 2009, providing leading-edge DNSSEC functionality remains a top priority for us."
BlueCat's new DNSSEC functionality includes:
Support for DNSSEC Resource Records
BlueCat will support all the required resource records needed to provide DNSSEC functionality for hosted authoritative domains, including Resource Record Signatures (RRSIGs), DNSSKEY and Next Secure (NSEC) records. These records are not actually configurable and are automatically created and maintained by the DNS system.
BlueCat's Adonis DNS/DHCP appliance will be able to properly validate signed records from other DNSSEC enabled servers.
Support for DNSSEC Signed Zones
BlueCat will provide support for DNSSEC Signed Zones using Zone Signing Keys (ZSK) and Key Signing Keys (KSK). Zone Signing Keys are used to sign the records within a zone - for example, www host in the zone bluecatnetworks.com. Key Signing Keys are used to sign the ZSKs and are also used as the trust anchor for validation of DNS responses. Both ZSKs and KSKs can be automatically generated on a per zone basis within Proteus. The new functionality will enable BlueCat to support RSASHA-1 and DSASHA-1 key ciphers at 1024 bit and 4096 bit strengths. Optionally, administrators can manually add their own keys to the system that will be used for signing. Other key ciphers may be added in future releases depending on customer needs.
Ability to Configure Trust Anchors
BlueCat will provide the ability to configure Trust Anchors, which are used to validate responses from other authoritative name servers. Trust Anchors will be configurable at a server level using DNS Options, where multiple Trust Anchors can be configured using their zone name and public KSK.
The proliferation of such technology as VoIP, RFID, wireless, virtualization, and IPv6 is making it impossible for U.S. federal government agencies to continue managing IP addresses with spreadsheets and homegrown solutions. BlueCat's market-leading solutions integrate with Microsoft Active Directory to enable U.S. federal government agencies to completely eliminate network accessibility problems by making it simple and secure for administrators to centrally deploy, manage, monitor and audit IP addresses across an entire organization from a single web-based interface.
About BlueCat Networks
BlueCat Networks, the IPAM Intelligence CompanyT, is a profitable, rapidly-growing leading provider of enterprise-class IP Address Management (IPAM) platforms and secure DNS/DHCP network administration appliances. Today, thousands of BlueCat's award-winning ProteusT IPAM platforms and AdonisT family of DNS/DHCP appliances have been successfully deployed to meet the rising IP management demands of government, military, financial services, retail and manufacturing organizations worldwide. Find out why more Fortune companies choose BlueCat solutions to gain complete, centralized Command and Control of their IP networks at www.bluecatnetworks.com.