Authorization

Access Control

Read more about Access Control

/ˈæk.sɛs kənˌtroʊl/

noun — "governing who can use resources."

Access Control is a system or methodology used to regulate which users, processes, or devices can interact with resources within computing environments, networks, or information systems. It ensures that only authorized entities are allowed to read, write, execute, or manage specific resources, thereby protecting data integrity, confidentiality, and availability.

Technically, Access Control can be implemented through various models such as Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-Based Access Control (RBAC), and Attribute-Based Access Control (ABAC). Each model defines rules or policies specifying permissions. DAC allows resource owners to assign permissions. MAC enforces policies determined by the system based on sensitivity labels. RBAC assigns permissions to roles rather than individual users, simplifying large-scale management. ABAC evaluates attributes of users, resources, and environmental conditions to make dynamic access decisions.

Core components include authentication, which verifies the identity of users or processes; authorization, which determines what operations the verified entities can perform; and auditing, which logs access attempts for compliance and forensic analysis. Access control mechanisms often integrate with cryptographic systems like EFS to enforce encryption policies at the filesystem or file level.

Operationally, when a user attempts to access a resource, the system first authenticates the identity using credentials such as passwords, tokens, or digital certificates. The access control subsystem then checks the applicable policy to determine if the requested operation is permitted. Denied operations can be logged for auditing purposes. In complex systems, access decisions may involve multiple policy checks across domains, resources, or services, sometimes using centralized directories or identity providers for coordination.

Example of access control logic (conceptual):


if user.role == 'admin' then
    permit all actions
else if user.role == 'editor' then
    permit read/write on owned files
else
    permit read-only access
end if

This example illustrates RBAC, where permissions are assigned based on the user’s role rather than the individual identity.

In practice, Access Control governs everything from operating system file permissions, network firewall rules, database privileges, API endpoints, to cloud resource policies. Proper implementation ensures that sensitive files, encrypted volumes (using FEK), and system resources are protected from unauthorized access while allowing legitimate workflows to proceed efficiently.

Conceptually, Access Control is like a security checkpoint for digital resources: each user or process must present credentials and be validated against rules before proceeding, preventing unauthorized interactions while enabling authorized operations smoothly.

See FEK, EFS, Encryption, Role-Based Access Control.

Policy

IAM

Read more about IAM

/ˈaɪ-æm/

n. “Who are you, and what are you allowed to do?”

IAM, short for Identity and Access Management, is the discipline and infrastructure that decides who can access a system, what they can access, and under which conditions. It sits quietly underneath modern computing, enforcing rules that most users never see — until something breaks, a permission is denied, or an audit comes knocking.

At its core, IAM is about identity. An identity may represent a human user, a service account, an application, a virtual machine, or an automated process. Each identity must be uniquely identifiable, verifiable, and manageable over time. Without this foundation, access control becomes guesswork, and guesswork does not scale.

Once identity is established, access comes into play. IAM systems define permissions, roles, and policies that determine which actions an identity may perform. This can range from reading a file, invoking an API, administering infrastructure, or merely logging in. Permissions are ideally granted according to the principle of least privilege — give only what is required, nothing more.

In practice, IAM is rarely a single tool. It is a framework composed of directories, authentication systems, authorization engines, and policy definitions. Enterprise environments often rely on directory services such as Active Directory or LDAP to store identities, while cloud platforms implement their own tightly integrated IAM layers.

Authentication answers the question “Who are you?” This may involve passwords, certificates, hardware keys, biometrics, or federated identity providers. Authorization answers the follow-up question “What may you do?” These are separate problems, and confusing them has historically led to security failures.

Modern IAM systems frequently integrate with protocols such as OAuth, OpenID Connect, and SAML to support single sign-on and delegated access. These allow identities to be trusted across organizational or service boundaries without sharing passwords — a hard-earned lesson from earlier internet architectures.

Cloud platforms treat IAM as a first-class control plane. In environments like AWS, Azure, and GCP, IAM policies define everything from who can spin up servers to which services may talk to each other. A misconfigured policy can expose entire environments; a well-designed one quietly prevents catastrophe.

IAM is also deeply entangled with auditing and compliance. Regulations often require proof of who accessed what, when, and why. Logs generated by IAM systems become evidence trails — sometimes boring, sometimes critical, always necessary. When breaches occur, IAM logs are among the first places investigators look.

Consider a simple example: an application needs to read data from a database. Without IAM, credentials might be hardcoded, shared, or reused indefinitely. With IAM, the application receives a scoped identity, granted read-only access, revocable at any time, and auditable by design. The problem is not solved with secrecy, but with structure.

IAM does not eliminate risk. It cannot fix weak passwords chosen by humans, nor can it compensate for poorly designed systems that trust too much. What it does provide is a coherent model — a way to express trust intentionally instead of accidentally.

In modern systems, IAM is not optional plumbing. It is the boundary between order and chaos, quietly deciding whether the answer to every access request is yes, no, or prove it first.

Authentication

NSEC3

Read more about NSEC3

/ˈɛn-ɛs-siː-θriː/

n. “Proof of nothing — without revealing the map.”

NSEC3 is a record type in DNSSEC designed to provide authenticated denial of existence while mitigating the privacy concern inherent in the original NSEC records. Unlike NSEC, which directly reveals the next valid domain name in a zone, NSEC3 hashes domain names so that the zone structure cannot be trivially enumerated, making it more resistant to zone-walking attacks.

The fundamental purpose of NSEC3 is the same as NSEC: to cryptographically prove that a requested DNS name does not exist. When a resolver queries a non-existent domain, the authoritative server responds with an NSEC3 record. The resolver uses the hash and the associated RRSIG signature to verify that the non-existence claim is authentic, without seeing the actual names in the zone.

Hashing is the key feature. Each domain name in the zone is processed with a cryptographic hash function, often with multiple iterations, producing a pseudo-random label. NSEC3 records then link these hashed labels in canonical order. When a resolver queries a name, it is hashed the same way, and the resolver checks the hashed interval against the NSEC3 record to confirm the name’s absence.

This approach solves a significant problem with plain NSEC. Original NSEC records, while providing proof of non-existence, inadvertently exposed the zone’s structure — every non-existent query returned the next valid domain. With NSEC3, attackers cannot easily enumerate all names in the zone, increasing security for sensitive domains while retaining cryptographic proof.

Consider a domain example.com with hashed labels in NSEC3. A client queries secret.example.com. The server responds with an NSEC3 record showing that the hash of secret.example.com falls between two hashed domain names, confirming non-existence. The actual names remain concealed, protecting internal structure.

NSEC3 is fully compatible with DNSSEC’s chain of trust. Resolvers use the parent zone’s DS record, the zone’s DNSKEY, and the RRSIG on the NSEC3 to verify authenticity. If any signature verification fails, the response is discarded, preventing spoofed negative responses.

While NSEC3 increases security and privacy, it also adds computational overhead. Each query requires hashing and comparison operations, and zone signing becomes slightly more complex. Despite this, the trade-off is widely accepted, and many modern DNSSEC-enabled zones use NSEC3 by default to prevent zone enumeration without sacrificing cryptographic assurances.

In short, NSEC3 is the evolution of negative proof in DNSSEC: it preserves the integrity and authenticity of non-existent domain answers while preventing attackers from easily mapping the zone, enhancing both security and privacy in the domain name system.

NSEC

Read more about NSEC

/ˈɛn-ɛs-siː/

n. “Proof of nothing — and everything in between.”

NSEC, short for Next Secure, is a record type used in DNSSEC to provide authenticated denial of existence. In plain terms, it proves that a queried DNS record does not exist while maintaining cryptographic integrity. When a resolver asks for a domain or record that isn’t present, NSEC ensures that the response cannot be forged or tampered with by an attacker.

The way NSEC works is deceptively simple. Each NSEC record links one domain name in a zone to the “next” domain name in canonical order, along with the list of record types present at that name. If a resolver queries a name that isn’t present, the authoritative server returns an NSEC proving the non-existence: the requested name falls between the current name and the “next” name listed in the record. The resolver can cryptographically verify the NSEC using the corresponding RRSIG and DNSKEY records.

This mechanism prevents attackers from silently fabricating negative responses. Without NSEC, a man-in-the-middle could claim that any nonexistent domain exists or does not exist, undermining the authenticity of DNSSEC validation. NSEC ensures that negative answers are just as verifiable as positive ones.

There are nuances. The original NSEC design exposes zone structure because it reveals the next valid domain in the zone. For sensitive zones, this can be considered an information leak, potentially aiding enumeration attacks. Later enhancements, like NSEC3, mitigate this by hashing the domain names while preserving the proof of non-existence.

An example of NSEC in action: suppose a resolver queries nonexistent.example.com. The authoritative server responds with an NSEC showing alpha.example.com → zeta.example.com. The resolver sees that nonexistent.example.com falls between alpha and zeta, confirming that it truly does not exist.

NSEC does not encrypt DNS traffic. It only guarantees that absence can be proven securely. When combined with DNSSEC’s chain of trust, NSEC ensures that both presence and absence of records are authentic, making the DNS resistant to spoofing, cache poisoning, and other attacks that rely on falsifying non-existent entries.

In modern DNSSEC deployments, NSEC and its variants are indispensable. They complete the story: every “yes” or “no” answer can be trusted, leaving no room for silent forgery in the system.

DS

Read more about DS

/ˈdiː-ɛs/

n. “The chain that links the trust.”

DS, short for Delegation Signer, is a special type of DNS record used in DNSSEC to create a secure chain of trust between a parent zone and a child zone. It essentially tells resolvers: “The key in the child zone is legitimate, signed by authority, and you can trust it.”

In DNSSEC, every zone signs its own data with its private key, producing RRSIG records. But a validating resolver needs to know whether that signature itself is trustworthy. That’s where DS comes in — it links the child’s DNSKEY to a hash stored in the parent zone.

When a resolver looks up a domain in a child zone, it starts at the parent zone, retrieves the DS record, and uses it to verify the child’s DNSKEY. Once the public key is verified against the DS, the resolver can check the RRSIG on the actual records. This process builds the chain of trust from the root down to the leaf domains.

Without DS, a child zone’s signatures would be isolated. They could prove internal integrity but wouldn’t be anchored to the larger DNS hierarchy. DS provides the glue that allows validators to trust a signed zone without needing to manually install its keys.

Consider a hypothetical domain, example.com. The .com parent zone publishes a DS record pointing to the hash of the DNSKEY used by example.com. When a client queries example.com with DNSSEC validation, the resolver fetches the DS from .com, confirms the hash matches the child DNSKEY, then trusts the RRSIGs within example.com. If the hash doesn’t match, the resolver discards the response, preventing tampered or forged data from being accepted.

DS records do not encrypt data or prevent eavesdropping. They only provide a verifiable link in the chain of trust. If an attacker can manipulate the parent zone or inject a fraudulent DS, security fails — highlighting why operational security at registries is critical.

In short, DS is the handshake between parent and child in DNSSEC, establishing that the child’s keys are legitimate and forming the backbone of secure, authenticated DNS resolution. It transforms the DNS from a fragile trust-on-first-use system into one where the chain of signatures can be validated cryptographically at every step.

RRSIG

Read more about RRSIG

/ˈɑːr-ɑːr-sɪɡ/

n. “Signed. Sealed. Verifiable.”

RRSIG, short for Resource Record Signature, is a record type used by DNSSEC to cryptographically sign DNS data. It is the proof attached to an answer — evidence that a DNS record is authentic, unmodified, and published by the rightful owner of the zone.

In classic DNS, answers arrive naked. No signatures. No verification. A resolver asks a question and trusts the response by default. DNSSEC replaces that blind trust with math, and RRSIG is where the math lives.

An RRSIG record accompanies one or more DNS records of the same type — for example, A, AAAA, MX, or TXT. It contains a digital signature generated using the zone’s private key. That signature covers the record data, the record type, and a defined validity window. Change even a single bit, and verification fails.

When a validating resolver receives DNS data protected by DNSSEC, it also receives the corresponding RRSIG. The resolver retrieves the zone’s public key from a DNSKEY record and checks the signature. If the cryptographic check passes, the data is accepted as authentic. If it fails, the response is rejected — no fallback, no warning page, no partial trust.

RRSIG records are time-bound. Each signature has an inception time and an expiration time. This prevents replay attacks where old but valid data is resent indefinitely. It also means signatures must be refreshed regularly. Let them expire, and the zone effectively disappears for validating clients.

This time sensitivity is one of the reasons DNSSEC is unforgiving. Clock skew, stale signatures, or broken automation can all result in immediate resolution failures. The system assumes that if authenticity cannot be proven, the answer must not be used.

RRSIG does not exist in isolation. It works in concert with DNSKEY to prove signatures and with DS records to link zones together into a chain of trust. From the DNS root, through TLD operators, and down to the individual domain, each layer signs the next. RRSIG is the visible artifact of that trust at every step.

Without RRSIG, DNSSEC would be little more than a promise. With it, DNS answers become verifiable statements rather than suggestions. Cache poisoning attacks, forged responses, and silent redirections lose their power when signatures are enforced.

Consider an attacker attempting to redirect traffic to a fake server. Without DNSSEC, a forged response might succeed if delivered quickly enough. With RRSIG validation enabled, the forged data lacks a valid signature and is discarded before it can do damage.

Like the rest of DNSSEC, RRSIG does not encrypt DNS traffic. Anyone can still observe queries and responses. What it guarantees is that the answers cannot be altered without detection.

RRSIG is quiet when correct and catastrophic when wrong. It either proves the data is real or ensures it is not used at all. There is no middle ground.

In a system once built entirely on trust, RRSIG is the moment DNS learned how to sign its name.

DNSKEY

Read more about DNSKEY

/ˈdiː-ɛn-ɛs-kiː/

n. “This is the key — literally.”

DNSKEY is a record type used by DNSSEC to publish the public cryptographic keys for a DNS zone. It is the anchor point for trust inside a signed domain. Without it, nothing can be verified, and every signature becomes meaningless noise.

In traditional DNS, records are answers with no proof attached. A resolver asks a question and accepts the first response that looks plausible. DNSSEC changes that by requiring cryptographic validation, and DNSKEY is where that validation begins.

A DNSKEY record contains a public key along with metadata describing how that key is meant to be used. Private keys never appear in DNS. They remain securely stored by the zone operator and are used to generate digital signatures over DNS records. The corresponding public keys are published via DNSKEY so resolvers can verify those signatures.

There are typically two categories of DNSKEY records in a zone. One is used to sign individual DNS records, and the other is used to sign the key set itself. This separation allows keys to be rotated safely without breaking the chain of trust. The details are deliberately strict — mistakes here are not tolerated.

When a resolver receives a signed DNS response, it also receives one or more RRSIG records. These signatures are checked against the public keys published in DNSKEY. If the math checks out, the data is authentic. If it does not, the response is rejected, even if the data itself looks valid.

Trust does not stop at the zone boundary. A parent zone publishes a reference to the child’s key using a DS record. This creates the DNSSEC chain of trust, starting at the root and flowing downward through TLD operators, registrars, and finally the domain itself. DNSKEY is the endpoint where that trust becomes actionable.

Mismanaging DNSKEY records is one of the fastest ways to make a domain vanish from the Internet. An expired signature, a missing key, or a mismatched parent reference causes validating resolvers to fail closed. The domain does not partially work. It simply stops resolving.

This harsh behavior is intentional. DNSSEC assumes that authenticity is more important than availability in the presence of tampering. If a resolver cannot prove the answer is correct, it prefers silence over deception.

In practical terms, DNSKEY enables protection against DNS cache poisoning, man-in-the-middle attacks, and malicious redirection. Without it, attackers can reroute traffic, intercept email, or downgrade security protocols long before TLS ever gets a chance to object.

Modern DNS tooling often automates DNSKEY generation and rotation, but the underlying mechanics remain unforgiving. Keys expire. Algorithms deprecate. Cryptographic strength must evolve. DNSKEY records must evolve with it or the zone will fail validation.

DNSKEY does not encrypt data. It does not hide queries. It exists for one purpose only: to make DNS answers provably authentic.

When DNSKEY is present and correct, DNS becomes verifiable instead of hopeful. When it is wrong, the Internet reminds you immediately — and without sympathy.

DNSSEC

Read more about DNSSEC

/ˈdiː-ɛn-ɛs-sɛk/

n. “Proves the answer wasn’t forged.”

DNSSEC, short for Domain Name System Security Extensions, is a set of cryptographic mechanisms designed to protect the DNS from lying to you. Not from spying. Not from tracking. From quietly, efficiently, and convincingly giving you the wrong answer.

The traditional DNS was built on trust. Ask a question, get an answer, move on. There was no built-in way to verify that the response actually came from the authoritative source or that it wasn’t altered in transit. If an attacker could inject a response faster than the legitimate server, the client would believe it. This class of attack — cache poisoning — was not theoretical. It happened. A lot.

DNSSEC fixes this by adding cryptographic signatures to DNS records. When a domain is signed, each critical record is accompanied by a digital signature generated using public-key cryptography. The resolver validating the response checks that signature against a known public key. If the signature matches, the data is authentic. If it does not, the response is rejected outright.

This creates a chain of trust that starts at the DNS root, flows through ICANN and IANA, continues through TLD operators, and ends at the domain itself. Each layer vouches for the next. Break the chain anywhere, and validation fails.

Importantly, DNSSEC does not encrypt DNS data. Queries and responses are still visible on the network. What it provides is authenticity and integrity — proof that the answer you received is the same answer the authoritative server intended to give. Confidentiality is handled elsewhere, often by protocols like DNS over HTTPS or DNS over TLS.

The cryptographic machinery behind DNSSEC includes key pairs, signatures, and carefully structured record types. DNSKEY records publish public keys. RRSIG records contain signatures. DS records link child zones to parent zones. Each component is boring on its own. Together, they form a system that makes silent tampering extremely difficult.

Without DNSSEC, an attacker who poisons DNS can redirect traffic to malicious servers, intercept email, downgrade security, or impersonate entire services. With DNSSEC properly deployed and validated, those attacks fail loudly instead of succeeding quietly.

Consider a user attempting to reach a secure website. Even with TLS enabled, DNS remains a weak link. If DNS is compromised, the user may never reach the real server to begin with. DNSSEC ensures the name resolution step itself is trustworthy, reducing the attack surface before encryption even begins.

Adoption of DNSSEC has been slow, partly because it requires coordination across registries, registrars, operators, and resolvers. Misconfigurations can cause domains to disappear instead of merely degrade. The system is unforgiving by design. Incorrect signatures do not limp along — they fail.

Modern validating resolvers increasingly treat DNSSEC as expected rather than optional. Many CDN providers and large platforms sign their zones by default. The Internet has learned, repeatedly, that unauthenticated infrastructure eventually becomes hostile terrain.

DNSSEC does not make the Internet safe. It makes it honest. It ensures that when the Internet answers a question about names, the answer can be proven — not merely trusted.

It is invisible when it works, merciless when it does not, and foundational in a world where the first lie is often the most damaging one.

IANA

Read more about IANA

/aɪ-ˈæn-ə/

n. “The quiet custodian of the Internet’s master keys.”

IANA, short for Internet Assigned Numbers Authority, is the organization responsible for coordinating some of the most fundamental pieces of the Internet’s infrastructure. It does not route traffic, host websites, or spy on packets. Instead, it manages the shared registries that allow the global network to function as a single, interoperable system rather than a collection of incompatible islands.

At its core, IANA maintains three critical namespaces. First, it oversees the global DNS root zone, including TLDs such as .com, .org, and country codes like .us or .jp. Second, it coordinates IP address allocation at the highest level, distributing large address blocks to regional internet registries. Third, it manages protocol parameter registries — the standardized numeric values used by protocols like TCP, IP, TLS, and countless others.

This work is largely invisible when it’s done correctly, which is precisely the point. When you type a domain name into a browser, send an email, or establish an encrypted connection, you are relying on IANA-maintained registries to ensure everyone agrees on what numbers, names, and identifiers mean. Without that shared agreement, the Internet would fragment quickly and spectacularly.

Historically, IANA began as a role rather than an institution. In the early days of the Internet, these assignments were handled informally by Jon Postel, who acted as a trusted coordinator for protocol numbers and names. As the network grew beyond academia and research labs, that informal trust model needed structure. IANA eventually became institutionalized and today operates under the stewardship of ICANN, while remaining functionally separate and intentionally conservative in its mandate.

Importantly, IANA does not decide policy. It implements policy developed through open, consensus-driven processes in technical and governance bodies. When a new TLD is approved, IANA performs the root zone changes. When a new protocol extension is standardized, IANA records the assigned values. It executes. It does not editorialize.

The security implications of this role are enormous. Control of the DNS root or protocol registries would effectively grant influence over global routing, naming, and trust mechanisms. For this reason, IANA operations are intentionally boring, heavily audited, and designed to minimize discretion. Flashy innovation happens elsewhere. Stability lives here.

A useful way to think about IANA is as the librarian of the Internet. It doesn’t write the books, argue about their contents, or decide which ideas are best. It simply ensures that every reference number, name, and identifier points to the same thing everywhere in the world — yesterday, today, and tomorrow.

When IANA is functioning properly, nobody notices. When it isn’t, the Internet stops agreeing with itself. That silence is not neglect. It’s success.

Internet

Standards