DNSSEC can be spotted as an application to, in other cases, insecure DNS. It brings cryptography within and a complete line of trust. That is a guarantee for each level and implements top-notch security for your domain.
What is DNSSEC?
The short DNSSEC is an acronym for Domain Name System Security Extensions. The primary DNS is reliable and fast, but its downside is that it lacks security. Back in the days when it was created, it wasn’t that of a problem. Later on, things change.
The purpose of DNSSEC is to stop DNS cache poisoning. Also, modification of the DNS data is possible to happen if it is not activated.
It works with a combination of public and private keys. That way, every upper level can verify the level below. It is a built chain of trust. The chain breaks if one of the levels fails. This will mean that the data is no longer reliable.
Why do you need DNSSEC?
There are two major reasons to apply DNSSEC:
- Authentication of the data’s integrity. A significant element of DNSSEC is to examine that the data hasn’t been changed in any form after its origin (the authoritative server). A modification, such as a cache poisoning.
- Authentication of the data’s origin. It is essential to know if the zone data is coming from the correct authoritative name server. DNSSEC won’t allow redirecting to malicious name servers.
What does DNSSEC do?
DNSSEC’s original purpose is to protect Internet clients from forged DNS data by verifying digital signatures set in the data.
The resolver verifies the digital signature when a client enters the domain name.
When the digital signatures in the data match those listed in the master DNS servers, the data can enter the client computer performing the request. The digital signature secures that the communication is with the same site you wanted to visit.
To verify the data, DNSSEC uses a system of public keys and digital signatures. It just adds new records together with existing records in DNS, such as RRSIG and DNSKEY. Their purpose is to digitally “sign” a domain with a method called public-key cryptography.
Nameserver, which is signed, has a public and private key for any zone. When a user makes a request, it sends data signed with its private key. The receiver unlocks it with the public key. When a third party attempts to send unreliable information, it won’t manage to unlock with the public key. Thus the recipient will identify the information as false.
How to use it?
Most of the DNS hosting companies support DNSSEC but is not activated by default. Some domains can’t use DNSSEC at all, but almost all popular generic top-level domains and country-code top-level domains can.
To start implementing it, you have to activate it on your DNS provider’s control panel. You just have to click on “enable” for each zone you want. Next, you will receive a DS record (delegation singer) and place it where your domain is registered. That will complete the chain.