ACL
Access Control List
ACL statement
Statement in the named.conf file that defines an address-match-list to control which hosts may or may not perform certain operations on the name server.
AES
Advanced Encryption Standard is one of the symmetric algorithms adopted by the United States as an encryption standard.
ARP
Address Resolution Protocol is used to map IP addresses to hardware resources on a network.
AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.
One of the flags (- t) in dnssec-keygen syntax that indicates the required use of the generated key. AUTH refers to the ability to authenticate data, and CONF to the ability to encrypt data.
Authoritative server
Authoritative servers contain the DNS mappings, such as mappings of names to IP addresses, for all of the domains under their authoritative control. These servers are identified as the top of the authority chain for the domains they serve. They provide definitive answers to resource queries.
BIND
Berkeley Internet Name Domain
+ cd
Dig switch that sets the "checking disabled" bit on the query. You would typically use this when your validating recursive name server reports a SERVFAIL, and you need to establish if this is due to DNSSEC marking this data as bad.
cache-poisoning DNS attacks
Type of DNS attack that places incorrect data in the cache of a recursive server
clients
Clients are the entities on the network that make requests of the DNS to find the location of the desired resources.
CNAME
Canonical Name (domain name system record)
COMSEC
Communications Security
configuration file
Defines whether the name server is a master (primary) or slave (secondary) for its delegated zone or zones or a cache-only server, defines the zone or zones for which the name server has authority, and specifies which data file or files will provide zone data.
CPU
Central Processing Unit
+ dnssec
Dig switch that forces the server being queried to include the DNSSEC related data. Use in combination with the +cd to establish if data from a zone is signed at all or if you want to determine if the validity intervals on the signatures are correct.
DAA
Designated Accrediting Authority
data files
Data files describe zone operations and contain the resource records that make up the smallest unit of information available through DNS.
Denial-of-service DNS attack
A type of DNS attack in which DNS servers are flooded with requests and responses, and cannot resolve legitimate requests
DES
Data Encryption Standard
dig
Domain information groper, or dig, is a flexible tool for querying DNS name servers.
DKIM
Domain Keys Identified Mail
DNS
Domain Name System
DNSKEY
One of four resource record types added by DNSSEC that carries the public key. (DNSSEC also added RRSIG, DS, and NSEC.)
DNSKEY
Domain Name System Key
DNSSEC
Domain Name System Security Extensions
dnssec-keygen
When configuring TSIG between two servers, the command dnssec-key is used to generate the TSIG key for a pair.
DoD
Department of Defense
DoDD 8500.01E
Department of Defense Directive 8500.01E
DoDI 8500.2
Department of Defense Instruction 8500.2
domain
Each branch of the domain name system hierarchy is either a domain or a sub-domain. Domains and sub-domains are relative. Any given domain is a child to the domain above it, and a parent to the sub-domains below it.
domain name
Unique name given to a domain or sub-domain of the DNS (e.g., irs.gov).
Domain Name System
The DNS is a database that maps fully qualified domain names, or FQDN's, to IP addresses, and vice-versa (maps IP addresses to FQDN's). The DNS also stores records that facilitate other applications, such as e-mail. Many applications, including databases, web-based applications, and Instant Messenger, rely on DNS services, including mail delivery agents such as sendmail. The DNS database is distributed among multiple servers, so that no single server contains the entire set of data. The information is stored on machines that are spread logically across the DNS and geographically across the world. This allows the massive DNS database to be decentralized.
DoS
Denial of Service, a type of DNS attack
drill
A command line debugging tool
DS
One of four resource record types added by DNSSEC, Delegation Signer carries the signed hash of the key. (DNSSEC also added RRSIG, DNSKEY, and NSEC.)
DSA
An algorithm for generation of DNSSEC signatures using the Digital Signature Standard. Although DSA is generally recommended for US Government use as a NIST standard, DSA is not commonly used for DNSSEC due to the amount of computer CPU time that is required to authenticate its signatures.
ERS
Enterprise Recursive Servers
Ethereal
GUI-based packet sniffing tool, now called Wireshark
FISMA
Federal Information Security Management Act of 2002
foundation DNS attacks
Type of DNS attack that targets the operating system of an authoritative server on which the DNS runs, and prevents the server from responding to requests effectively
Fully Qualified Domain Name
A Fully Qualified Domain Name is the unambiguous name for a resource that specifies its exact location in the DNS hierarchy (for example, www.irs.gov), or a resource on a local network (for example, workstation1.example.com).
$GENERATE
A BIND-specific directive used to create a series of resource records
HINFO
Host Information
HMAC256
Hashed Message Authentication Code Message Digest 256
HMAC-MD5
Hashed Message Authentication Code Message Digest 5
$INCLUDE
Any file identified by a $INCLUDE statement in a data file
IA
Information Assurance
IAM
Information Assurance Manager
IAO
Information Assurance Officer
ID
Identification
IETF
Internet Engineering Task Force
IP
Internet Protocol
ISSM
Information System Security Manager
ISSO
Information System Security Officer
INCLUDE statement
Statement in the named.conf file used to break the named.conf file into more easily manageable chunks
JWICS
Joint Worldwide Intelligence Communications System
KEY statement
Statement in the named.conf file that specifies a key ID used for authentication and authorization on a particular name server
KMI
Key Management Infrastructure
KMP
Key Management Policy
leaf node
The section at the end of a branch of the DNS hierarchy is referred to as a leaf node when it is a named device, such as a printer or computer.
LOGGING statement
Statement in the named.conf file that specifies how the name server will log event information by using pre-defined or user-defined channels and associating categories of event information with those channels.
+ multiline
Dig switch that structures the output of a dig so that it is easily readable. As a bonus, the keyid will be printed as a comment behind the DNSKEY RRs.
named.ca
A file that establishes the names of root servers and lists their addresses
named.conf configuration file
BIND-specific configuration file that defines whether a name server is a master (primary) or slave (secondary) for its delegated zones, or a cache-only server. This file defines the zone or zones for which the name server has authority, and specifies data files that provide zone data.
named.local
A file that specifies the local loopback interface
NAT
Network Address Translation
NIPRNET
Non-secure Internet Protocol Router Network
NIST
National Institute of Standards and Technology
NS
Name Server
NSEC
One of four resource record types added by DNSSEC that signs any gaps to assure the non-existence of a resource or domain name. (DNSSEC also added RRSIG, DNSKEY, and DS.)
nslookup
Command line tool designed for testing and troubleshooting DNS servers
NTP
Network Time Protocol
NXDOMAIN
Error code indicating that a domain does not exist
$ORIGIN
A command that changes the origin of a data file
Options statement
Statement in the named.conf file that controls global server configuration options and sets default values for other statements
packet
Any unit of data that is sent over the Internet, or any other packet switched network, between an origin and a destination. There are three main sections of a packet: a set of headers, the actual data being transmitted, and a footer.
packet-sniffing tool
Generally used to capture the data being passed between clients and servers, and to analyze traffic on your network
PKI
Public Key Infrastructure
POP
Post Office Protocol (Internet e-mail protocol)
PTR
Pointer (as used in DNS records)
query
A request for information by a client, such as "What is the IP address for this FQDN?" or "What is the FQDN for this IP address?"
Recursive server
Recursive servers are often non-authoritative servers, and are used to relay requests from clients to authoritative servers to fully resolve the request. In addition, recursive servers often keep a copy of, or cache, of the answer from the authoritative server, in case another client makes the same request.
resolv.conf
A resolver file
RR
Resource Record
RRSIG
One of four resource record types added by DNSSEC, the RRSIG carries the signature of the DNS information being sent. (DNSSEC also added DNSKEY, DS, and NSEC.)
RSA
An algorithm for public key encryption, named for its inventors (Rivest, Shamir, Adleman)
RSAMD5
An algorithm for generation of DNSSEC signatures using the RSA public-private algorithm and the MD5 hash algorithm. Previously used as the primary recommended algorithm for DNSSEC, but has been deprecated due to concerns about the vulnerability of MD5 to cryptographic attacks
RSASHA-1
An algorithm for generation of DNSSEC signatures using the RSA public-private algorithm and the SHA-1 hash algorithm. Currently, RSASHA-1 is recommended for DoD usage, because it provides the best combination of interoperability and security. Other supported algorithms include RSAMD5 and DSA.
+sigchase
Dig switch that traces the signature chain. You will also need to have a ./trusted-keys.keys or /etc/trusted-keys.keys available that contains trusted key entries. The trusted-keys.keys file, or another file of a similar name, is used to store Secure Entry Point keys (that is, trust anchors), which can be used by dig and other DNSSEC-aware interactive tools. These files can also be included in the named.conf file for a recursive DNSSEC-aware DNS server/resolver.
-S
Debugging option provided by drill to the signatures from the leaf node back to the root, looking for the relevant records
SA
System Administrator
SEP
secure entry point
SERVER statement
Statement in the named.conf file that specifies the behavior of the server when accessing or responding to the defined remote server
SHA
Secure Hash Algorithm
shared.keys
Example of a recommended file for maintaining a list of secret keys when configuring for TSIG. For security purposes, it is recommended to maintain a list of secret keys in a file other than named.conf, such as /etc/bind/shared.keys.
SIPRNET
Secret Internet Protocol Router Network
SOA
Start of Authority
SP
Special Publication
STIG
Security Technical Implementation Guides
systems administrators
Systems administrators are the people who configure, operate, maintain, and troubleshoot the hardware and software components of the DNS.
+ trace
Dig switch that traces a delegation chain. This option may be helpful if you are trying to figure out where the delegation points are.
-T
Debugging option provided by drill to follow the chain of trust from the root to the leaves. Indicates the security status
TASO
Terminal Area Security Officer
TCP/IP
Transmission Control Protocol/Internet Protocol
tcpdump
Utility that is a command-line tool for collecting and dumping data on TCP/IP networks. Most Linux distributions come with tcpdump installed by default.
TSIG
Transaction Signature
TTL
Time To Live
TXT
Text
UEM
User Experience Monitoring
URL
Uniform Resource Locator is a unique and uniform way to locate a resource, such as a file or a device, on the Internet or other network.
US COMSEC
Unites States Communications Security
\X
Indicates that a character's special meaning does not apply
ZONE statement
Statement in the named.conf file that defines a zone for which a server is authoritative, and applies options to describe how the zone functions