What is DNSSEC?
DNSSEC (short for Domain Name System Security Extensions) applies digital signatures to DNS data to authenticate the data’s origin and verify its integrity as it moves across the Internet. DNSSEC is designed to protect from “man in the middle” and cache poisoning attacks, whereby hackers corrupt DNS data stored on recursive servers to redirect queries to fraudulent sites and unintended addresses. With DNSSEC, poisoning a recursive server’s cache is much more difficult because DNS administrators sign their data. The resulting digital signatures on that DNS data are validated through a “chain of trust” that starts with the public key published today for the root zone.
Why is DNSSEC needed?
The original design of the Domain Name System (DNS) did not include security. In the early 1990s serious security flaws were discovered in in the Domain Names System and research into securing it began. DNSSEC has become an increasingly popular topic among DNS administrators globally as DNS vulnerabilities are becoming more widely known and exploited.
How does DNSSEC work?
DNSSEC uses public key cryptography to digitally sign authoritative zone data when it comes into the system and then validate it at its destination. Thus, digital signatures assure users that the data originated from the stated source and that it was not modified in transit and can establish whether a domain name does or does not exist.
Each zone has a public/private key pair with the zone’s public key being published and the private key is kept private and ideally stored offline. A zone’s private key signs individual DNS data in that zone, creating digital signatures that are also published with DNS.
DNSSEC uses a rigid trust model whereby a chain of trust flows from parent zone to child zone. Parent zones vouch for the public keys of child zones, with the authoritative name servers for these various zones being managed by domain name registrars, internet service providers and web hosting companies.
Client-side technology called stub resolvers need to be installed on the end users’ computer when requesting a website’s IP address from a recursive name server. When the server requests the record, it also requests the DNSSEC key associated with the zone. The keys are then used to determine that the IP address record matches the record of the authoritative name server.
Only when the recursive name server can correctly determine that the address record has been sent by the authoritative name server will the domain name resolve so the user can access the site. Since the recursive name server does not resolve address records that have been modified in transit or are not from the stated source, DNS queries are protected from man-in-the-middle (MITM) attacks and users need not worry about arriving at fraudulent addresses.
Advantages of DNSSEC
- Increased trust for internet activities – strengthened DNS makes online activities such as e-commerce, online banking, online software distibution, VoIP and even email more secure.
- DNSSEC mitigates the risk of some cyber crimes, specifically man-in-the-middle (MITM) attacts and cache poisoning attacks.
- DNSSEC opens the door to more types of secure data transactions.
Disadvantages of DNSSEC
- DNSSEC can add significant load to DNS servers – increasing costs and reducing efficiency of current DNS systems. It requires significant investment of resources on the part of TLD registry operators, domain name registrars, ISPs and hosting providers.
- “Bootstrap problem” – a minimum level of deployment is required before ANY users receive a benefit greater than their costs.
- DNSSEC deployment requires software on BOTH the server and client side – how can you get buy-in from end users to use operating systems and browser add-ons that support DNSSEC, especially when the increased complexity of DNSSEC may introduce frequent lookup errors or diminished performance, negatively impacting the overall internet experience for end users?
- DNSSEC is needlessly complicated and a pain for even experienced DNS administrators to implement – DNSSEC adds complexity to a system that is intrinsically simple. There is a potential for lack of backward compatibility with some non-DNSSEC systems, which also creates concern.
- Very few top-level domains support DNSSEC and some governments may even try to ban DNSSEC-backed encryption key distribution – countries are concerned about U.S. control of the internet, and may reject any centralized keying. Deploying DNSSEC in the absence of a signed root diminishes protection against DNS cache poisoning and similar attacks.
Should you be using DNSSEC?
At present DNSSEC deployment is still gaining momentum and most top-level domains don’t support it, meaning that you probably can’t use it even if you want to. If you do use a domain that does support DNSSEC and you do want to implement it, it will likely be a huge pain to do so. Moreover, due to the lack of knowledge about it, there is little client-side adoption of DNSSEC compatible technology. Since both server-side and client-side technology is needed, there is very likely no benefit whatsoever to end users of implementing a complicated and costly DNSSEC system at present.
Moreover, there is currently much better ways to secure your domain than DNSSEC. While Secure Sockets Layer (SSL) does not protect from man-in-the-middle attacks and cache poisoning, SSL certificates do validate the identity of a website and assures users of the identity of the website owner. In addition, SSL uses digital certificates to encrypt data exchanges between a user and a website – something that DNSSEC does not do. While DNSSEC and SSL deal with fundamentally different problems (DNSSEC deals with the “where” and SSL deals with the “who” and “how”), SSL is a much more established system and has almost universal adoption with many certificate authorities reporting higher than 99% browser compatibility. Domain owners best option, at present, is to use extended validation SSL certificates – they show a green browser bar and have information about the company that owns the domain (the physical address and phone number etc) to assure users that they are dealing with who they think they are. In the future, DNSSEC may be a viable option but at present the cost benefit ratio is far too unfavourable to make it appeal to anyone other than the most hardcore DNS geek.
DNSSEC support for country code top-level Domains
DNSSEC support for generic top-level domains
|.name||individuals, by name||No|
|.tel||Internet communication services||No|
|.travel||travel and tourism industry related sites||No|
DNSSEC support for USA top-level domains