Date First Published: 9th June 2022
Topic: Computer Networking
Subtopic: Internet Protocols
Article Type: Computer Terms & Definitions
Difficulty: AdvancedDifficulty Level: 10/10
Learn more about what DNSSEC is in this article.
DNSSEC stands for Domain Name Security Extensions and it is a protocol that extends DNS by adding a layer of security to the DNS lookup and resolution process. It authenticates the resolution of domain names to IP addresses with a cryptographic signature, which is signed using a public and private key pair.
Even though DNSSEC is not required, it is recommended to configure it. Nameservers that support it must be used in order for it to be configured. Enabling DNSSEC may be easier when using public nameservers as all that may be required is clicking on a checkbox to enable DNSSEC. However, if a custom nameserver is used, one or more DS records may need to be manually created. Afterwards, it may take a few hours for DNSSEC to be enabled as the server needs to validate the DS records.
Originally, when DNS was developed in the 1980s, it had little security. Each time an IP address is requested from a nameserver using a standard DNS query, it will assume that the nameserver is valid. This created a vulnerability for a nameserver to pretend to be another nameserver by spoofing its IP address. A fake nameserver could redirect domain names to the incorrect websites and cause DNS requests to be incorrectly resolved.
The aim of DNSSEC was to protect users against fake DNS information by verification of cryptographic signatures. When a user enters a domain name into their web browser, the resolver then verifies the cryptographic signatures. Each query and response is signed using a public and private key pair. The visitor generates the private key and the group of trusted servers generate the public key. Every DNSSEC-enabled nameserver stores its public key in a hashed 'DNSKEY' record. If DNSSEC is enabled for a domain name, it can be ensured that visitors are connecting to the actual site that corresponds to a certain domain name.
Every time a user makes a request, it sends information that is signed with its private key. It is then unlocked by the recipient with the public key. In the event of fake information being sent by a third party, it will not unlock properly with the public key, so the recipient will know that the information is incorrect.
DNSSEC does not protect sensitive information from being intercepted, like in HTTPS, as it does not include encryption algorithms. Its only purpose is to carry the necessary keys to authenticate DNS information as genuinely or genuinely not available.
Two types of keys are stored as a DNSKEY record and are used by DNSSEC, which include:
The DS (Delegation Signer) record contains a string of the public key and metadata of the key, including the algorithm that it uses.
If so, it is important that you tell me as soon as possible on this page.
Network Services Network Setups Network Standards Network Hardware Network Identifiers Network Software Internet Protocols Internet Organisations Data Transmission Technologies Web Development Web Design Web Advertising Web Applications Web Organisations Web Technologies Web Services SEO Threats To Systems, Data & Information Threats To Individuals Security Mechanisms & Technologies Computer Hardware Computer Software Ethics & Sustainability Legislation & User Data Protection
