Global chain of trust created to combat cyber threats.
Hence a chain of trust needs to be implemented. This chain of trust relies on two distinct products that need to interact together to ensure the avoidance of 'man in the middle', a.k.a. integrity of any IP transaction. These elements are:
In a chain of trust, a domain's parent and possibly one or more of its ancestors in the DNS domain hierarchy are signed. The trust anchor corresponding to the zone at the top of the chain establishes trust down to the source of DNS response, through successive signature verifications of the public key of a child by its parent.
To secure the chain, the child zone must inform the parent of the public part of its KSK (Key Signing Key) through a secure channel outside of the DNS. The parent creates a hash of the public key and stores it in a DS RR. It then signs the DS RR with its private key.
In some cases, like The Philippines, the countries are not DNSSEC enabled. This requires the implementation of an 'island of trust'; Thanks to our strategic partner, ePLDT group through its FVP and Group Chief Information Security Officer of ePLDT Group, PLDT Group and SmartCISO, Mr Angel Redoble, Mr. Angel T. Redoble, we have not only proven that it is feasible but also that it is easy and quick to implement when relying on Secure64 unique DNS set of solutions going from Cache to Signer with Authority in the middle.
Secure64 DNS Authority is a DNS authoritative server that provides the highest levels of security, availability and resiliency under attack without the cost and complexity of conventional solutions. Unlike hardened systems, DNS Authority is Genuinely Secure: it has been designed from the ground up with a secure architecture that makes it highly resistant to compromise from rootkits, malware. and network attacks. Combined with its built-in support for anycasting and its non-stop DNS architecture, this allows DNS Authority to remain highly available at all times, even when under attack or during restarts.
Moreover, Secure64 DNS Authority server has built-in denial-of-service detection and mitigation, is highly resistant to injection of rootkits and malware, provides built-in support for anycast, and enables reverse DNS records on the fly. These capabilities allow the DNS Authority server to remain fully responsive during DDoS attacks, eliminates BIND security vulnerability patching, reduces the total cost of ownership because servers need no protective security appliances; and enables 99.999% service availability.
On the other side of the solution, Secure64 DNS Signer completely automates the processes required to implement DNSSEC, including key generation, key storage, key rollover, zone signing and re-signing. With DNS Signer, implementing DNSSEC zone signing is as simple as adding a single statement to the configuration file, regardless of the number of zones.
With Secure64 DNS Signer you have a fully automated key management with fast, incremental zone signing with an active or failover high availability architecture that has been FIPS 140-2 Level 2 certified. All this allows for a quick and easy DNSSEC implementation, eliminates implementation errors and scales to hundreds of thousands of zones and millions of records.