You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/dns/dnssec.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -68,7 +68,7 @@ The type of DNS resource record that is spoofed depends on the type of DNS hijac
68
68
69
69
DNSSEC works to prevent DNS hijacking by performing validation on DNS responses. In the DNS hijacking scenario pictured here, the client device can reject non-validated DNS responses if the contoso.com domain is signed with DNSSEC. To reject non-validated DNS responses, the client device must enforce [DNSSEC validation](#dnssec-validation) for contoso.com.
70
70
71
-
DNSSEC includes a VRF-based mechanism defined in [RFC 9824](https://www.rfc-editor.org/rfc/rfc9824.html), to prevent zone enumeration. Zone enumeration, also known as zone walking, is an attack whereby an attacker attempts to build a list of all names in a zone, including child zones.**RFC 9824 NSEC mitigates this by using verifiable random functions (VRFs) to provide authenticated denial of existence without exposing the entire zone**.
71
+
DNSSEC includes a VRF-based mechanism defined in [RFC 9824](https://www.rfc-editor.org/rfc/rfc9824.html), to prevent zone enumeration. Zone enumeration, also known as zone walking, is an attack whereby an attacker attempts to build a list of all names in a zone, including child zones.
72
72
73
73
Before you sign a zone with DNSSEC, be sure to understand [how DNSSEC works](#how-dnssec-works). When you are ready to sign a zone, see [How to sign your Azure Public DNS zone with DNSSEC](dnssec-how-to.md).
74
74
@@ -133,12 +133,12 @@ The following table provides a short description of DNSSEC-related records. For
133
133
| Resource record signature (RRSIG) | A DNSSEC resource record type that is used to hold a signature, which covers a set of DNS records for a particular name and type. |
134
134
| DNSKEY | A DNSSEC resource record type that is used to store a public key. |
135
135
| Delegation signer (DS) | A DNSSEC resource record type that is used to secure a delegation. |
136
-
| Next secure (NSEC) | DNSSEC resource record type defined in RFC 9824 that uses Verifiable Random Functions (VRFs) to provide authenticated denial of existence and prevent zone enumeration attacks. |
136
+
| Next secure (NSEC) | DNSSEC resource record type defined in RFC 9824 provides authenticated denial of existence and prevent zone enumeration attacks. |
137
137
| Child delegation signer (CDS) | This record is optional. If present, the CDS record can be used by a child zone to specify the desired contents of the DS record in a parent zone. |
138
138
| Child DNSKEY (CDNSKEY) | This record is optional. If the CDNSKEY record is present in a child zone, it can be used to generate a DS record from a DNSKEY record. |
139
139
140
140
>[!NOTE]
141
-
>Azure DNSSEC implements [RFC 9824 (NSEC)](https://datatracker.ietf.org/doc/html/rfc9824) which is the newest iteration of for authenticated denial of existence. NSEC and NSEC3 are not used by Azure DNS because they allow zone enumeration or offline dictionary attacks.
141
+
>Azure DNSSEC implements [RFC 9824 (NSEC)](https://datatracker.ietf.org/doc/html/rfc9824) which is the newest iteration of for authenticated denial of existence. The older iterations of NSEC and NSEC3 are not used by Azure DNS because they allow zone enumeration or offline dictionary attacks.
0 commit comments