Do you already know what DNS is? Recently I talked about it, so now we will explore one of its problems, security. The DNS was created almost 50 years ago when the internet was young and small. Now we need to patch it, and here it comes, DNSSEC. DNSSEC service is the fix that could sustain the security of all the information going around.
What is DNSSEC?
DNSSEC is a security extension for DNS (Domain name system security extensions). It adds cryptographical authentification for the DNS data that goes around the internet and proves the source of the DNS data and its integrity.
How does DNSSEC work?
You should use DNSSEC because it is fixing the security issues that come from the nature of the DNS. Its design was made with practicality, not security on the mind, so it needed a new layer of protection on top.
It wasn’t long after the begging of DNS that IT specialists saw its problems. The organization called Internet Engineering Task Force (IETF), the same that created the DNS, started to create a fix in the 90s.
The solution was an authentication process that uses digital signatures using public-key cryptography called DNSSEC. Its purpose is that the owner of a DNS service could cryptographically sign the DNS data he or she has. Note that we are not talking about the DNS queries themselves.
For this purpose, each DNS zone needs a combination, a pair of a public and a private key.
The owner will use the private key to sign the data in the zone.
The public key is located in the zone, and it is visible publically.
Every recursive server that needs to check data in the zone will get this public key and validate the authenticity of the DNS data. This happens if it successfully validates the data. If not, the recursive server will send an error message to the user.
The zone data inside the authoritative server also need to prove its authenticity. Its public key is signed, not by its own private key, but from the authority on top, the parent’s private key. Only the root zone does not have anybody on top to sing its key. It is the starting validation point of this chain of trust called DNSSEC.
Why should you use DNSSEC?
There are two important reasons to use DNSSEC:
- Authentication of the data’s origin. It is crucial to be sure if the zone data is coming from the right authoritative name server. DNSSEC will stop redirecting to malicious name servers.
- Authentication of the data’s integrity. An essential part of DNSSEC is to check that the data hasn’t been modified in any way after its origin (the authoritative server). Any modification like cache poisoning or another could damage the servers or lead to a DDoS attack.
How to use DNSSEC?
It is not activated by default, sadly. Most of the DNS hosting companies support DNSSEC.
There are some domains that still can’t use DNSSEC at all, but their number is very small. Almost all popular generic top-level domains and country-code top-level domains use it.
You can start using it by activating it on your DNS provider’s control panel. There you can find DNSSEC and simply click on “enable” for each zone you want. After that, you will get a DS record (delegation signer) and put it where your domain is registered. That way, the chain will be complete.
Use DNSSEC always when available. Even if it slows down the connection a bit, the data integrity and protection is a lot more important. Be responsible and protect your DNS with DNSSEC. It is easy to apply and not that hard. Just do it!