You can see DNSSEC as a patch to otherwise unsafe DNS. It brings cryptography to the table and a whole line of trust, which guarantees every level and provides top-notch security for your domain.
What does DNSSEC mean?
The whole meaning of DNSSEC is a mouth full – Domain Name System Security Extensions.
The original DNS is fast and reliable, but it lacks security. It wasn’t that of a problem when it was first created. Later, in 1993, the Internet Engineering Task Force (IETF) finalized specifications for DNS data encryption standards. It got in use in 2005, and its latest revision is from 2010.
The DNSSEC aims to stop the DNS cache poisoning and alteration of the DNS data that could happen if it is not activated.
The DNSSEC involves all levels of a domain, including the root, TLD, and the part that you can manage.
It uses a combination of public and private keys, where each upper level can verify the level below.
It is a chain of trust. If one level fails, the chain is broken, and the data cannot be trusted.
How exactly does DNSSEC work?
The root will have the key for the previous level, which is the TLD. The TLD will have the key for the whole DOMAINNAME.TLD, and so on for the subdomains.
There are different DNS records to facilitate and secure the process – RRSIG, which is a digital signature, DNSKEY, the public key at the root, DS, delegation signer, NSEC a pointer to the next secure record.
The records go in groups called RRsets, together with popular DNS records like A, AAAA, and MX DNS records.
There are a few combinations of keys – zone-signing keys (ZSK), key-signing keys (KSK), and delegation signer records:
- ZSK is the combination of public and private keys to sign zones. The private key is created for the zone with the ZSK in the form of RRSIG. And the public should be added as a DNSKEY. The DNS resolver will use the RRSIG and the RRset, and with the DNSKEY, it will validate the zone.
- To verify the DNSKEY, you will need KSK. Again, there is a public KSK in the form of a DNSKEY record, and the private key signs both the KSK and the ZSK too. The DNS resolver will use the public KSK to validate the public ZSK.
- The last part of the puzzle is the DS record. It will delegate the trust to one level down. The zone manager will store the hash of the DNSKEY with the public KSK and send it to the parent zone in the form of a DS record. The DNS resolver will compare it with the parent’s record. If there is a match, the validation happens.
Why should you care about DNSSEC?
You should consider activating DNSSEC for your domain because it stops DNS spoofing attacks. Your name servers will be safe from hackers’ attacks, and your visitors will get the correct DNS records without any additional modification from bad agents.
The only downside of having DNSSEC activated is that it will be heavier on the network, and there could be a small delay. Not really feelable by the average user, though.
Should you start using DNSSEC?
Of course! Most definitely, you should start using it today. DNS is not safe enough, and you need this extra help to provide the best possible service for your visitors. You don’t want something to happen to their data, right? Start using DNSSEC today!