ACL Access Control List ACL statement Statement in the named.conf file that defines an address-match-list to control which hosts may or may not perform certain operations on the name server. AD Active Directory AES Advanced Encryption Standard is one of the symmetric algorithms adopted by the United States as an encryption standard. ARP Address Resolution Protocol is used to map IP addresses to hardware resources on a network. Asymmetric Cryptography As used in DNS, asymmetric cryptography uses a private key to sign data, and the corresponding public key is used to verify the signature. In one frequent example of asymmetric cryptography, User A can encrypt a message with the public key for User B, and only User B can decrypt it using his/her private key. AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. One of the flags (- t) in dnssec-keygen syntax that indicates the required use of the generated key. AUTH refers to the ability to authenticate data, and CONF to the ability to encrypt data. Authenticity Refers to verification that data is published by a zone's actual authoritative server. See integrity for related information. Authoritative Server Authoritative servers contain the DNS mappings, such as mappings of names to IP addresses, for all of the domains under their authoritative control. These servers are identified as the top of the authority chain for the domains they serve. They provide definitive answers to resource queries.

BIND Berkeley Internet Name Domain Blackhole Blackholing of DNS traffic refers to redirecting DNS query traffic to an unused IP address, in order to prevent malicious use of DNS for command, control, and communications (also referred to as botnet). See sinkhole for related information.

+ cd Dig switch that sets the "checking disabled" bit on the query. You would typically use this when your validating recursive name server reports a SERVFAIL, and you need to establish if this is due to DNSSEC marking this data as improper. Cache-poisoning DNS Attacks Type of DNS attack that places incorrect data in the cache of a recursive server Clients Clients are the entities on the network that make requests of the DNS to find the location of the desired resources. CNAME Canonical Name (domain name system record) COMSEC United States Communications Security Configuration File Defines whether the name server is a master (primary) or slave (secondary) for its delegated zone or zones or a cache-only server, defines the zone or zones for which the name server has authority, and specifies which data file or files will provide zone data. CPU Central Processing Unit

+ dnssec Dig switch that forces the server being queried to include the DNSSEC related data. Use in combination with the +cd to establish if data from a zone is signed at all or if you want to determine if the validity intervals on the signatures are correct. Daemon Processes that run in the background and perform specific functions at specified times or in response to specific events (for example, email handlers and printer spoolers). Data Files Data files describe zone operations and contain the resource records that make up the smallest unit of information available through DNS. Data Replacement DNS Attack Also called spoofing, type of DNS attack that Replaces a legitimate IP address with an incorrect one. As a result, when users enter a URL, they are connected with a fraudulent web site or resource. Denial-of-Service DNS Attack Type of DNS attack in which DNS servers are flooded with requests and responses, and cannot resolve legitimate requests. (See intentional crashing for related information.) DES Data Encryption Standard Dig Domain information groper, or dig, is a flexible tool for querying DNS name servers. DKIM Domain Keys Identified Mail DNS Domain Name System DNSKEY Domain Name System Key is one of four resource record types added by DNSSEC that carries the public key. (DNSSEC also added RRSIG, DS, and NSEC.) DNSSEC Domain Name System Security Extensions use signatures generated with a public/private key algorithm to verify data authenticity and integrity. dnssec-keygen When configuring TSIG between two servers, the command dnssec-key is used to generate the TSIG key for a pair. DoD Department of Defense DoDD 8500.01E Department of Defense Directive 8500.01E DoDI 8500.2 Department of Defense Instruction 8500.2 Domain Each branch of the domain name system hierarchy is either a domain or a sub-domain. Domains and sub-domains are relative. Any given domain is a child to the domain above it, and a parent to the sub-domains below it. Domain Name Unique name given to a domain or sub-domain of the DNS (e.g., irs.gov). Domain Name System The DNS is a database that maps fully qualified domain names, or FQDN's, to IP addresses, and vice-versa (maps IP addresses to FQDN's). The DNS also stores records that facilitate other applications, such as e-mail. Many applications, including databases, web-based applications, and Instant Messenger, rely on DNS services, including mail delivery agents such as sendmail. The DNS database is distributed among multiple servers, so that no single server contains the entire set of data. The information is stored on machines that are spread logically across the DNS and geographically across the world. This allows the massive DNS database to be decentralized. DoS Denial of Service Double-Signing Rollover Method Method used during the KSK overlap period to sign a zone, with both the KSK about to expire and the new KSK. (See pre-publish method for related information.) Drill A command line debugging tool DS One of four resource record types added by DNSSEC, Delegation Signer carries the signed hash of the key. (DNSSEC also added RRSIG, DNSKEY, and NSEC.) DSA An algorithm for generation of DNSSEC signatures using the Digital Signature Standard. Although DSA is generally recommended for US Government use as a NIST standard, DSA is not commonly used for DNSSEC due to the amount of computer CPU time that is required to authenticate its signatures.

EDNS0 Extension mechanisms for DNS (version zero) ERS Enterprise Recursive Service Ethereal GUI-based packet sniffing tool, now called Wireshark

FDDI Fiber Distributed Data Interface FISMA Federal Information Security Management Act of 2002 foundation DNS attacks Type of DNS attack that targets the operating system of an authoritative server on which the DNS runs, and prevents the server from responding to requests effectively (See denial-of-service, cache-poisoning, packet interception, and data replacement or spoofing for related information.) FQDN Fully Qualified Domain Name Fragmentation Offset Value used to help reconstruct a fragmented packet Fully Qualified Domain Name A Fully Qualified Domain Name is the unambiguous name for a resource that specifies its exact location in the DNS hierarchy (for example, www.irs.gov), or a resource on a local network (for example, workstation1.example.com).

$GENERATE A BIND-specific directive used to create a series of resource records

HINFO Host Information HMAC256 Hashed Message Authentication Code Message Digest 256 HMAC-MD5 Hashed Message Authentication Code Message Digest 5

$INCLUDE Any file identified by a $INCLUDE statement in a data file IA Information Assurance IAM Information Assurance Manager IAO Information Assurance Officer ICMP Internet Control Message Protocol ID Identification IETF Internet Engineering Task Force IGMP Internet Group Management Protocol INCLUDE statement Statement in the named.conf file used to break the named.conf file into more easily manageable chunks Integrity Verification that data being received is the same as the data that was published. (See authenticity for related information.) Intentional Crashing DNS Attack Type of DNS attack that Intercepts a DNS packet en route to a server and returns a response designed to crash the resolver. This type of attack may be confused with a denial-of-service attack, since both prevent the name server from resolving the request. However, intentional crashing attacks take advantage of bugs to crash resolvers, whereas denial-of-service attacks are generally brute-force attacks that overload the network with requests and responses. (See denial-of-service for related information.) IP Internet Protocol IPv4 Current internet address protocol that consists of a series of four numbers from 0 to 255, representing 32 bits of address data (which is over 4.2 billion possible addresses). IPv6 Newer internet address protocol that consists of eight sets of numbers representing 128 bits of address data, which is over 3.4 times 10 to the 38th power possible addresses. ISSM Information System Security Manager ISSO Information System Security Officer

JWICS Joint Worldwide Intelligence Communications System

Key Effectivity Period The key effectivity period is the time span during which a particular DNSSEC key is in effect. The keys themselves do not contain any information about their effectivity period-the effectivity period must be set and tracked by administrators based on policy. KEY Statement Statement in the named.conf file that specifies a key ID used for authentication and authorization on a particular name server KMI Key Management Infrastructure KMP Key Management Policy KSK Key Signing Keys are a type of DNSSEC key pair used to sign one or more zone signing keys (ZSKs) for a zone. KSKs normally have a relatively long effectivity period (several months to a year) than ZSKs. The public part of a KSK pair can be configured as a Secure Entry Point to allow validation of keys and signatures in that zone and child zones.

Leaf Node The section at the end of a branch of the DNS hierarchy is referred to as a leaf node when it is a named device, such as a printer or computer. LOGGING Statement Statement in the named.conf file that specifies how the name server will log event information by using pre-defined or user-defined channels and associating categories of event information with those channels.

+ multiline Dig switch that structures the output of a dig so that it is easily readable. As a bonus, the keyid will be printed as a comment behind the DNSKEY RRs.

Name Chaining DNS Attack Type of DNS attack that replaces the additional section of an intercepted packet with other information. When the resolver receives the packet, it mistakenly accepts the improper information, and stores it in its cache. As a result, the improper data can be propagated throughout the DNS whenever the resolver returns its response. named.ca A file that establishes the names of root servers and lists their addresses named.conf configuration file BIND-specific configuration file that defines whether a name server is a master (primary) or slave (secondary) for its delegated zones, or a cache-only server. This file defines the zone or zones for which the name server has authority, and specifies data files that provide zone data. named.local A file that specifies the local loopback interface NAT Network Address Translation NIPRNET Non-secure Internet Protocol Router Network NIST National Institute of Standards and Technology NS Name Server NSEC One of four resource record types added by DNSSEC that signs any gaps to assure the non-existence of a resource or domain name. (DNSSEC also added RRSIG, DNSKEY, and DS.) Nslookup Tool for testing and troubleshooting DNS servers, which can be used non-interactively from the command line to issue simple queries, or interactively from a shell for more complex queries. NTP Network Time Protocol NXDOMAIN Error code indicating that a domain does not exist

$ORIGIN A command that changes the origin of a data file Options statement Statement in the named.conf file that controls global server configuration options and sets default values for other statements OS Operating System

Packet Any unit of data that is sent over the Internet, or any other packet switched network, between an origin and a destination. There are three main sections of a packet: a set of headers, the actual data being transmitted, and a footer. Packet Capture Tool Tool that allows the complete capture of traffic that is traveling between networked computers. Generally used to capture the data being passed between clients and servers, and to analyze traffic on your network Packet Interception DNS Attack Type of DNS attack that intercepts queries in DNS packets between the sender and the destination. Packet-Sniffing Tool Refer to packet capture tool Path MTU For any network path, there is a maximum transfer unit size, or MTU, that is derived from a combination of hardware capabilities, protocol limitations, and local configuration. Any packet larger than this MTU size must be fragmented. Common MTUs for LANs are on the order of 1500 bytes for conventional Ethernet or 9000 bytes for "jumbo" packets. WANs often have much different constraints on their MTUs. PKI Public Key Infrastructure POP Post Office Protocol (Internet e-mail protocol) Pre-Publish Method Involves publishing a new ZSK prior to the actual rollover from the current ZSK. Method allows new keys to be pre-staged, cached, and available when older keys are no longer effective. (See double-signing rollover method for related information.) Private key Private keys are used to generate cryptographic signatures for zone data. In DNSSEC, pairs of public and private keys combine with data signature records (RRSIGs) and Delegation Signer (DS) records to establish a chain of trust down the DNS data hierarchy. Protocol Type of packet (for example, TCP, UDP, ICMP, IGMP) PTR Pointer (as used in DNS records) Public key Public keys are published within zones. In DNSSEC, pairs of public and private keys combine with data signature records (RRSIGs) and Delegation Signer (DS) records to establish a chain of trust down the DNS data hierarchy.

Query A request for information by a client, such as "What is the IP address for this FQDN?" or "What is the FQDN for this IP address?"

Recursive server Recursive servers are often non-authoritative servers, and are used to relay requests from clients to authoritative servers to fully resolve the request. In addition, recursive servers often keep a copy of, or cache, of the answer from the authoritative server, in case another client makes the same request. resolv.conf A resolver file RR Resource Record RRSIG One of four resource record types added by DNSSEC, the RRSIG carries the signature of the DNS information being sent. (DNSSEC also added DNSKEY, DS, and NSEC.) RSA An algorithm for public key encryption, named for its inventors (Rivest, Shamir, Adleman) RSAMD5 An algorithm for generation of DNSSEC signatures using the RSA public-private algorithm and the MD5 hash algorithm. Previously used as the primary recommended algorithm for DNSSEC, but has been deprecated due to concerns about the vulnerability of MD5 to cryptographic attacks RSASHA-1 An algorithm for generation of DNSSEC signatures using the RSA public-private algorithm and the SHA-1 hash algorithm. Currently, RSASHA-1 is recommended for DoD usage, because it provides the best combination of interoperability and security. Other supported algorithms include RSAMD5 and DSA.

+sigchase Dig switch that traces the signature chain. You will also need to have a ./trusted-keys.keys or /etc/trusted-keys.keys available that contains trusted key entries. The trusted-keys.keys file, or another file of a similar name, is used to store Secure Entry Point keys (that is, trust anchors), which can be used by dig and other DNSSEC-aware interactive tools. These files can also be included in the named.conf file for a recursive DNSSEC-aware DNS server/resolver. -S Debugging option provided by drill to the signatures from the leaf node back to the root, looking for the relevant records SA System Administrator SEP secure entry point SERVER statement Statement in the named.conf file that specifies the behavior of the server when accessing or responding to the defined remote server SHA Secure Hash Algorithm shared.keys Example of a recommended file for maintaining a list of secret keys when configuring for TSIG. For security purposes, it is recommended to maintain a list of secret keys in a file other than named.conf, such as /etc/bind/shared.keys. Signature Validity Period The signature validity period is the time span during which the signature or RRSIG corresponding to a particular resource record is valid. Sinkhole Sinkholing of DNS traffic implies redirecting the traffic to a system that is configured to act in place of the botnet controller. This requires reverse engineering of the malware, but allows computer network defense personnel to use the malware's own tools to track infections. SIPRNET Secret Internet Protocol Router Network SOA Start of Authority SP Special Publication Source Address IP address of where a DNS packet originated Spoofing Type of DNS attack, also called data replacement, that replaces a legitimate IP address with an incorrect one. As a result, when users enter a URL, they are connected with a fraudulent web site or resource. SRC Source (tcpdump abbreviation) SRV Service recource record SRVFAIL Serve fail error STIG Security Technical Implementation Guides Syslog System log Systems Administrators Systems administrators are the people who configure, operate, maintain, and troubleshoot the hardware and software components of the DNS.

+ trace Dig switch that traces a delegation chain. This option may be helpful if you are trying to figure out where the delegation points are. -T Debugging option provided by drill to follow the chain of trust from the root to the leaves. Indicates the security status TASO Terminal Area Security Officer TCP/IP Transmission Control Protocol/Internet Protocol tcpdump Utility that is a command-line tool for collecting and dumping data on TCP/IP networks. Most Linux distributions come with tcpdump installed by default. Time to Live The time to live, or TTL, is the time span during which a resolver is encouraged to cache DNS data. Transaction Authentication (see TSIG) Transaction Signature (see TSIG) Trust anchor Trust anchors are public keys that are configured into the DNS resolvers to validate the signatures of incoming data. Since zones may have multiple keys, a zone administrator designates certain keys to serve as a trust anchor for a resolver. Normally, the public half of a KSK pair is designated as the trust anchor. These trust anchors are called the Secure Entry Point keys. TSIG Transaction Signature or transaction authentication, which enables point-to-point security usually on a network. TTL Time To Live TXT Text

UDP User Datagram Protocol UEM DNS User Experience Monitor (UEM) URL Uniform Resource Locator is a unique and uniform way to locate a resource, such as a file or a device, on the Internet or other network. US COMSEC United States Communications Security

WINS Windows Internet Naming Service Wireshark Formerly known as Ethereal, this GUI-based packet-capture tool performs many of the same tasks as tcpdump.

\X Indicates that a character's special meaning does not apply

ZONE statement Statement in the named.conf file that defines a zone for which a server is authoritative, and applies options to describe how the zone functions ZSK Zone Signing Keys are a type of DNSSEC key pair used to sign data or records in a zone. ZSKs are used more often than KSKs to sign more data, and so are more susceptible to certain cryptographic-cracking attacks than KSKs. ZSKs normally have a shorter effectivity period (weeks or a month).