Domain Name System Security Extensions (DNSSEC)
Reading time: 2 minutes
Preface
If you want to understand more about DNS before reading this article, please read our Article “Domain Name System (DNS) – What is that?” for more details.
Introduction
Whenever you use the Internet, you might not know it, but you use the Domain Name System (DNS). Whether using email, a website, a phone app, or a VPN connection, you use the DNS. Domain Name Security Extensions (DNSSEC) are a way to ensure the integrity of the information in the DNS.
DNS has lots of easily accessible information, but how good is it?
Information is distributed (copied) to many name servers worldwide to make the Domain Name System robust and reliable. A distributed system means many copies of the domain information records, but how do we know those copies are correct? How do we know the information was copied from a reputable source? How do we know the information is the same as provided by the domain owner and hasn’t been altered by a bad actor?
What is DNSSEC?
DNSSEC is a set of extensions for securing data exchanged in the Domain Name System. DNSSEC is designed to protect the integrity of DNS data. All answers to DNS queries are digitally signed so that it can be confirmed that the information is identical to the original information published by the domain owner. Signing the original information published by the domain owner establishes a root of trust for the information.
What does DNSSEC NOT do?
DNSSEC does not provide data confidentiality. It authenticates that responses are correct but does not encrypt the data. It does not directly protect against Denial of Service Attacks (DoS).
How does DNSSEC work?
DNSSEC digitally signs DNS records using public-key cryptography. Users of DNS records can confirm the signed records they get are authentic using the public keys. Domain owners generate their keys and upload them to their domain name registrar, who then uploads them to the zone operator, who signs and publishes them in the DNS. The chain of trust begins with the DNS root zone and is passed to the zone operators (.com, .org, etc.) and then the domain owners. Since the keys are signed at each level, their authenticity is confirmed.
Glossary
- DNSSEC – Domain Name System Security Extensions
- DNS – Domain Name System
- VPN – Virtual Private Network
- DoS – Denial of Service
References
- Book: DNS and Bind, Fifth Edition by Cricket Liu & Paul Albitz. ISBN: 978-0-596-10057-5
- Web: https://en.wikipedia.org/wiki/Domain_Name_System
- Web: https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions