The SK-DNSSEC project is about implementing the SK-DNSSEC protocol, with the purpose of securing the Domain Name System.

The Domain Name System is a service vital to the Internet. Considering the importance of DNS, it is surprising that a secure version of it is not curently deployed. Because the DNS packets are not signed, it is possible for a malicious party to inject, intercept or modify these packets with the intent of disrupting the DNS service. Several known threats to the DNS system are summarized in [Threats], some of which include packet interception, packet ID guessing, query prediction and cache poisoning.

In order to have a secure DNS, two security requirements have to be met at a minimum: data origin authentication and data integrity. Currently, most of the security community's efforts to secure DNS have focused on a set of extensions to DNS, which are mainly based on public-key cryptography (PK-DNSSEC).

Unlike the PK-DNSSEC proposal, SK-DNSSEC is an extension that makes use almost exclusively of symmetric-key cryptography. SK-DNSSEC has several advantages over PK-DNSSEC:

• Reduced CPU overhead for caching resolvers: Since PK-DNSSEC is based on public-key cryptography, it places a considerable computational burden on resolvers as they have to verify the authenticated DNS answers. SK-DNSSEC uses symmetric-key cryptography, which is computationally much lighter.
• Considerably less network traffic: PK-DNSSEC uses public-key signatures, while SK-DNSSEC uses shorter symmetric certificates. In fact, SK-DNSSEC generates an amount of traffic close to what plain-DNS generates.
• Lower query latency: For uncached answers, PK-DNSSEC will traverse the DNS tree twice, once to get the actual answer, and once again to get the key material required to validate the answer. SK-DNSSEC has practically the same latency as plain-DNS.
• Simpler key management
• Less intrusive: Unlike PK-DNSSEC, SK-DNSSEC does not require to change the zone files and NXT resource records are not needed.