Subnet Mask Cheat SheetRecords Cheat SheetGeoDNS ExplainedFree Network TroubleshooterKnowledge BasePricing CalculatorLive CDN PerformanceVideo Demos
BlogsNewsPress ReleasesIT NewsTutorials
Give us your email and we'll send you the good stuff.
Heather Oliver is a Technical Writer for Constellix and DNS Made Easy, subsidiaries of Tiggee LLC. She’s fascinated by technology and loves adding a little spark to complex topics. Want to connect? Find her on LinkedIn.
The Domain Name System (DNS) is the backbone of the internet. It’s how computers and IoT devices are able to communicate with one another and how users reach an online destination. DNS got its start in 1983, but a lot’s changed in 38 years. In fact, since 1995, internet users have increased from 16 million or 0.4% of the world to a staggering 4.66 billion users as of January 2021—that’s 59.5% of the global population.
That’s where DNS Security Extension (DNSSEC) comes in. Such an enormous growth in internet usage calls for greater security measures. While the original DNSSEC technology was actually released in 1997, it wasn’t until 2005 that it evolved into the DNSSEC that’s commonly used today.
The nitty-gritty on DNSSEC is that it creates cryptographic signatures for existing DNS records. This is achieved with private and public signing keys that validate query responses. When DNSSEC is set up for a domain, resolvers can compare digital signatures and confirm that the DNS record request is coming from an authoritative nameserver. This not only proves the integrity of the data, but also ensures that the request wasn’t altered or contains a fake record.
A DNSSEC-enabled zone is secured by grouping all DNS records of the same type into a Resource Record Set (RRset). Rather than the individual records, the RRsets are what is digitally signed.
DNSSEC uses digital signatures that are based on public key cryptography. Each DNS zone for a domain with DNSSEC enabled has a public and a private key, which is used to sign or authenticate the DNS data for that particular zone.
As you might have guessed, a private key holds material privy only to the zone owner. This protects sensitive data needed to authenticate DNS records. The public key, on the other hand, is published in the DNS zone, and is there for any recursive resolver to retrieve. Once data is validated, the request is then sent to the end user. If the request fails to authenticate, a user will receive an error message.
The KSK represents a public/private key combination and is what is used to validate the ZSK. This key is a long-term key (replaced annually) and is always tied to a host zone—it can’t exist without it. The KSK signs the public portion of the ZSK.
The ZSK key corresponds with the private key in a DNS zone and is a short-term key as it is changed more often (usually quarterly) than a Key Signing Key (KSK). This key is used to sign and verify the non-key records of a domain’s DNS zone.
Ultimately, DNSSEC is based on trust. Keys
DNSSEC introduces several new record types that handle signature validation and that hold the cryptographic signatures that work alongside all common DNS record types. These records are:
Tip: DNS Viz is a helpful tool for validating or troubleshooting the DNSSEC of a specific zone. It provides you with a visual analysis of the authentication chain, its resolution path, and lists configuration errors.
DNSSEC can play an important role in DNS security, especially for corporate organizations in the financial or medical sectors or those that handle sensitive personal information, as well as domains that are at high risk for cyberattacks. It’s worth mentioning, however, that implementation requires extra care in order to avoid resolution problems. Furthermore, DNSSEC doesn’t protect against DDoS or other types of cyberattacks, so you still want to make sure all your bases are covered.
If you liked this, you might find these helpful:
Sign up for news and offers from Constellix and DNS Made Easy