The Domain Name System (DNS) is the backbone of the internet. It’s how computers and IoT devices are able to communicate with one another and how users reach an online destination. DNS got its start in 1983, but a lot’s changed in 38 years. In fact, since 1995, internet users have increased from 16 million or 0.4% of the world to a staggering 4.66 billion users as of January 2021—that’s 59.5% of the global population.
That’s where DNS Security Extension (DNSSEC) comes in. Such an enormous growth in internet usage calls for greater security measures. While the original DNSSEC technology was actually released in 1997, it wasn’t until 2005 that it evolved into the DNSSEC that’s commonly used today.
DNSSEC Explained
The nitty-gritty on DNSSEC is that it creates cryptographic signatures for existing DNS records. This is achieved with private and public signing keys that validate query responses. When DNSSEC is set up for a domain, resolvers can compare digital signatures and confirm that the DNS record request is coming from an authoritative nameserver. This not only proves the integrity of the data, but also ensures that the request wasn’t altered or contains a fake record.
A DNSSEC-enabled zone is secured by grouping all DNS records of the same type into a Resource Record Set (RRset). Rather than the individual records, the RRsets are what is digitally signed.
DNSSEC Keys
DNSSEC uses digital signatures that are based on public key cryptography. Each DNS zone for a domain with DNSSEC enabled has a public and a private key, which is used to sign or authenticate the DNS data for that particular zone.
As you might have guessed, a private key holds material privy only to the zone owner. This protects sensitive data needed to authenticate DNS records. The public key, on the other hand, is published in the DNS zone, and is there for any recursive resolver to retrieve. Once data is validated, the request is then sent to the end user. If the request fails to authenticate, a user will receive an error message.
Key Signing Key (KSK)
The KSK represents a public/private key combination and is what is used to validate the ZSK. This key is a long-term key (replaced annually) and is always tied to a host zone—it can’t exist without it. The KSK signs the public portion of the ZSK.
Zone Signing Key (ZSK)
The ZSK key corresponds with the private key in a DNS zone and is a short-term key as it is changed more often (usually quarterly) than a Key Signing Key (KSK). This key is used to sign and verify the non-key records of a domain’s DNS zone.
Ultimately, DNSSEC is based on trust. Keys
DNS Records that Store DNSSEC Public Signing Keys
DNSSEC introduces several new record types that handle signature validation and that hold the cryptographic signatures that work alongside all common DNS record types. These records are:
- DNSKEY - Holds the public signing key
- DS - Includes the hash of the DNSKEY record
- CDNSKEY and CDS - For child zones requesting updates to DS records
- NSEC (next secure record) and NSEC3 - Links to the next record in a zone and has a list of record types for the name covered by the hash (fingerprint) value
- RRSIG - Holds the cryptographic signature for a record set
Tip: DNS Viz is a helpful tool for validating or troubleshooting the DNSSEC of a specific zone. It provides you with a visual analysis of the authentication chain, its resolution path, and lists configuration errors.
Do I Need DNSSEC?
DNSSEC can play an important role in DNS security, especially for corporate organizations in the financial or medical sectors or those that handle sensitive personal information, as well as domains that are at high risk for cyberattacks. It’s worth mentioning, however, that implementation requires extra care in order to avoid resolution problems. Furthermore, DNSSEC doesn’t protect against DDoS or other types of cyberattacks, so you still want to make sure all your bases are covered.
If you liked this, you might find these helpful:
https://www.youtube.com/watch?v=_8M_vuFcdZU
https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
https://social.dnsmadeeasy.com/blog/dear-dns-coach-why-dont-the-largest-domains-use-dnssec/
Need better DNS?
We can help.
• Configure with ease
• Prevent DDoS attacks
• Monitor your domains
• Optimize site traffic
• Enhance domain performance
• Free POC Account + Demo
BOOK FREE DEMO
Constellix DNS News
Sign up for industry news and insights. It'll be worth it.
Sign up for news and offers from Constellix and DNS Made Easy
