Isingeniso esihle sezinsongo ezihlobene ne-DNS sinikezwa ku- RFC3833 . Ngokuyinhloko i-DNSSEC ingenye yezindlela zokuqinisekisa ukuthi iseva oyixhumanayo isemthethweni ngempela. Kodwa-ke, ungqimba olulodwa kuphela lwezokuphepha futhi alwanelisi ngokwalo: aluvimbeli ukuphindisela umzila wethrafikhi yakho kwenye indawo noma ukuhumusha amaphakethe ukuthi awabetheliwe.
Ububi obukhulu be-DNS kulezi zinsuku ukuthi kumele ixhaswe kuzo zombili izinhlangothi. Ayenzi i-DNS yakho ivikeleke kakhulu uma ingafakwanga ohlangothini lweklayenti, nayo. Isibonelo, iziphequluli zewebhu azihloli i-DNSSEC ngaphandle kweziqinisekisi zenkampani yangaphandle ezifana ne- DNSSEC / TLSA Validator evela ku-CZ.NIC.
I-DNSSEC isethunzini lezitifiketi ze-SSL njengoba i-SSL ixazulula okuningi okuningi izinkinga kune-DNSSEC. Inkinga eyodwa Izitifiketi ze-SSL ezingazixazululi Iziphathimandla Zesitifiketi esinamandla noma isiqinisekiso esingalungile sobunikazi ngesikhathi sokuthola isitifiketi, okungaholela ekutheni isitifiketi esivumelekile nesiboshwe ngamaketanga sinikezwe izinhlangano ezingalungile. Lokhu kungaba isibonelo esisodwa obukade usifuna.
Ngakho-ke, ukuhlanganiswa kwe-DNSSEC ne-SSL kwenza kube nzima ukwenza izitifiketi zomgunyathi. Ngerekhodi le- TLSA endaweni esayiniwe ye-DNSSEC isitifiketi kumele sigunyazwe ngamaketanga amabili azimele. Mancane amathuba okuthi iqembu elinamandla likwazi ukufinyelela kuzo zombili. Uma usebenzisa zombili futhi uphoqa amakhasimende akho ukuthi azidinge, usebenzisa i-DNSSEC ngendlela ewusizo.
Ngingasho ukuthi empeleni kubila kulokho osukushilo.
Uma une-DNSSEC eyenziwe kuzo zombili izinhlangothi (isixazululi esivumayo nendawo esayiniwe), lapho-ke i-DNSSEC ivimbela umuntu maphakathi ekushintsheni impendulo ngaphandle kokutholwa kanye nokugwema ubungozi bokuthi umhlaseli ongeyona iMITM anganqoba lokho, ngemininingwane engagunyaziwe, umjaho olula wokuqagela i-port kanye ne-ID yokuthengiselana ngaphambi kokuba impendulo yangempela ifike.
Ukuba nedatha eqinisekiswe kahle futhi kwenza ukuthi kube nokwenzeka ukusetshenziswa kwe-DNS ngezinto ezingezekile ezethembele nakakhulu ekwazini ukuyethemba idatha, njenge- DANE ( TLSA
) , izigxivizo zeminwe ze-SSH ( SSHFP
) , njll.