What is DNSSEC?

Domain Name System (DNS)

The Domain Name System (DNS) is a distributed database, arranged hierarchically, containing records for domain names. The DNS system's main aim is to match a domain name to an IP Address. When a user types a domain name in a browser, the DNS translates the domain name to an IP Address.

Vulnerabilities were discovered in the DNS that allow a hacker to hijack this process of looking a site up on the Internet using the domain name. The purpose of such an attack is to take control of the user session to, for example, send the user to the hijacker's own deceptive web site for sensitive data collection. This lead to the introduction of Domain Name System Security Extensions (DNSSEC).

Domain Name System Security Extensions (DNSSEC)

Domain Name System Security Extensions (DNSSEC) is a technology developed to protect against malicious activities like cache poisoning, pharming, and man-in-the-middle attacks. It adds digital signatures to a domain name's DNS to determine the authenticity of the source domain name. DNSSEC is a set of extensions to DNS that provides to DNS clients (resolvers):

  • Origin authentication of DNS data,

  • Authenticated denial of existence,

    and

  • Data integrity.

DNSSEC uses a digital signature to create a chain of authority. Then, it uses the chain to verify that the source domain name, which the DNS resolver returns, matches the DNS record stored at the authoritative DNS. If it cannot validate the source, it discards the response. This ensures that the user is connecting to the actual address for a domain name.

DNSSEC is currently supported for the following TLDs (domain name extensions):

  • By the Registry Operator:

    • .COM

    • .DE

    • .EU

    • .IN

    • .ME

    • .NET

    • .NL

    • .NZ

    • .ORG

    • .UK

    • .US

    • CentralNIC

  • By Verve Logic:

    • .COM

    • .IN

    • .ME

    • .NET

    • .ORG