Now we will talk about what is the Domain Name System Security Extension (DNSSEC) and how it can protect you and your clients from DNS spoofing. If you have activated it, you can have additional verification of the DNS servers and evade “poisoned” servers who redirect your visitors to a different IP address.
DNS and DNSSEC
We have already talked about how DNS works. Briefly explained, it is a system than facilitates our lives by translating domain names to their IP addresses. This way, visitors don’t need to remember IP addresses and just write the name of the domain. In the DNS, users’ requests go through different recursive servers until it reaches the root zone where the IP addresses are stored.
But when DNS was invented, the security was not though well. In order not to change completely the system, but still secure it, the DNSSEC extension was created.
DNSSEC is a security extension that uses a combination of public and private keys to sign data and verify the authoritative server. With it, even if a recursive server was poisoned by hackers, it won’t send the visitors to a shady website where their personal data and bank information can be stolen. The DNSSEC must be apply at each step, from root zone to the domain. The root zone will have a key for the .com and the .com will have for the EXAMPLE.com.
We have a few new types of records – RRSIG (digital signature), DNSKEY (the public key at the root), DS (delegation signer), and NSEC (like NS, it is a pointer to the next secure record).
These records are in a form of sets – RRsets (gathering of the same type of records). RRsets are used for common DNS records like A, AAA and MX too. The RRsets help to reduce the complication of verifying single records.
Zone-signing keys ZSK
There is a zone-signing key pair for each zone. The private key signs each RRset in the zone and the public verifies the signature. A zone operator must create digital signatures for each set with the private ZSK and save them in a form of RRSIG records. A public ZSK must also be added in a form of DNSKEY. When the DNSSEC resolver request a DNSKEY record, together with the RRset and RRSIG, the validation can happen.
Key-signing keys KSK
KSK validate the DNSKEY in the same way as the ZSK validated the rest of the RRsets. There is a public KSK in another DNSKEY record. The private KSK signs both the KSK and the ZSK. The resolver uses the public KSK to validate the public ZSK.
Delegation Signer Record
After the previous processes, we will have a validated zone but this trust must be transfer to the zone below it. The operator of the zone, hashes the DNSKEY record with the public KSK and gives it to the parent zone to put it as a DS record. The resolver uses this record to compare it with the one of the parent. If they match, the resolver can trust it.
What does it mean for the end users?
Enabling DNSSEC will guarantee that the users will access the right website, not a fake copy. It doesn’t remove the need of a SSL certificate for data encryption and further protection of users’ data.
ClouDNS and DNSSEC
ClouDNS offers DNSSEC both for Primary and Secondary DNS for each of our paid DNS plans. The DNSSEC is compatible with non-DNSSEC resolvers too. This means that if you enable it, The DNS will continue to function without problems even if the resolver(s) doesn’t support DNSSEC.
Cons of DNSSEC
As you could guess, there are some negatives with it too. Apply it correctly will create more records. Furthermore, it will increase the size of the DNS responses.
Still we recommend the use of DNSSEC. It is not hard to apply, it will provide an extra security and save you many problems with your clients.