Please Login or Register

DNSSEC – What You Need To Know

What is DNSSEC?

DNSSEC (short for Domain Name System Security Extensions) applies digital signatures to DNS data to authenticate the data’s origin and verify its integrity as it moves across the Internet. DNSSEC is designed to protect from “man in the middle” and cache poisoning attacks, whereby hackers corrupt DNS data stored on recursive servers to redirect queries to fraudulent sites and unintended addresses. With DNSSEC, poisoning a recursive server’s cache is much more difficult because DNS administrators sign their data. The resulting digital signatures on that DNS data are validated through a “chain of trust” that starts with the public key published today for the root zone.

Why is DNSSEC needed?

The original design of the Domain Name System (DNS) did not include security. In the early 1990s serious security flaws were discovered in in the Domain Names System and research into securing it began. DNSSEC has become an increasingly popular topic among DNS administrators globally as DNS vulnerabilities are becoming more widely known and exploited.

How does DNSSEC work?

DNSSEC uses public key cryptography to digitally sign authoritative zone data when it comes into the system and then validate it at its destination. Thus, digital signatures assure users that the data originated from the stated source and that it was not modified in transit and can establish whether a domain name does or does not exist.

Each zone has a public/private key pair with the zone’s public key being published and the private key is kept private and ideally stored offline. A zone’s private key signs individual DNS data in that zone, creating digital signatures that are also published with DNS.

DNSSEC uses a rigid trust model whereby a chain of trust flows from parent zone to child zone. Parent zones vouch for the public keys of child zones, with the authoritative name servers for these various zones being managed by domain name registrars, internet service providers and web hosting companies.

Client-side technology called stub resolvers need to be installed on the end users’ computer when requesting a website’s IP address from a recursive name server. When the server requests the record, it also requests the DNSSEC key associated with the zone. The keys are then used to determine that the IP address record matches the record of the authoritative name server.

Only when the recursive name server can correctly determine that the address record has been sent by the authoritative name server will the domain name resolve so the user can access the site. Since the recursive name server does not resolve address records that have been modified in transit or are not from the stated source, DNS queries are protected from man-in-the-middle (MITM) attacks and users need not worry about arriving at fraudulent addresses.

Advantages of DNSSEC

  • Increased trust for internet activities – strengthened DNS makes online activities such as e-commerce, online banking, online software distibution, VoIP and even email more secure.
  • DNSSEC mitigates the risk of some cyber crimes, specifically man-in-the-middle (MITM) attacts and cache poisoning attacks.
  • DNSSEC opens the door to more types of secure data transactions.

 

Disadvantages of DNSSEC

  • DNSSEC can add significant load to DNS servers – increasing costs and reducing efficiency of current DNS systems. It requires significant investment of resources on the part of TLD registry operators, domain name registrars, ISPs and hosting providers.
  • “Bootstrap problem” – a minimum level of deployment is required before ANY users receive a benefit greater than their costs.
  • DNSSEC deployment requires software on BOTH the server and client side – how can you get buy-in from end users to use operating systems and browser add-ons that support DNSSEC, especially when the increased complexity of DNSSEC may introduce frequent lookup errors or diminished performance, negatively impacting the overall internet experience for end users?
  • DNSSEC is needlessly complicated and a pain for even experienced DNS administrators to implement – DNSSEC adds complexity to a system that is intrinsically simple. There is a potential for lack of backward compatibility with some non-DNSSEC systems, which also creates concern.
  • Very few top-level domains support DNSSEC and some governments may even try to ban DNSSEC-backed encryption key distribution – countries are concerned about U.S. control of the internet, and may reject any centralized keying. Deploying DNSSEC in the absence of a signed root diminishes protection against DNS cache poisoning and similar attacks.

 

Should you be using DNSSEC?

At present DNSSEC deployment is still gaining momentum and most top-level domains don’t support it, meaning that you probably can’t use it even if you want to. If you do use a domain that does support DNSSEC and you do want to implement it, it will likely be a huge pain to do so. Moreover, due to the lack of knowledge about it, there is little client-side adoption of DNSSEC compatible technology. Since both server-side and client-side technology is needed, there is very likely no benefit whatsoever to end users of implementing a complicated and costly DNSSEC system at present.

Moreover, there is currently much better ways to secure your domain than DNSSEC. While Secure Sockets Layer (SSL) does not protect from man-in-the-middle attacks and cache poisoning, SSL certificates do validate the identity of a website and assures users of the identity of the website owner. In addition, SSL uses digital certificates to encrypt data exchanges between a user and a website – something that DNSSEC  does not do. While DNSSEC and SSL deal with fundamentally different problems (DNSSEC deals with the “where” and SSL deals with the “who” and “how”), SSL is a much more established system and has almost universal adoption with many certificate authorities reporting higher than 99% browser compatibility. Domain owners best option, at present, is to use extended validation SSL certificates – they show a green browser bar and have information about the company that owns the domain (the physical address and phone number etc) to assure users that they are dealing with who they think they are. In the future, DNSSEC may be a viable option but at present the cost benefit ratio is far too unfavourable to make it appeal to anyone other than the most hardcore DNS geek.

 

DNSSEC support for country code  top-level Domains

Domain Name Entity DNSSEC
.ac  Ascension Island Yes
.ad  Andorra No
.ae  United Arab Emirates No
.af  Afghanistan No
.ag  Antigua and Barbuda Yes
.ai  Anguilla No
.al  Albania No
.am  Armenia Yes
.an  Netherlands Antilles No
.ao  Angola No
.aq  Antarctica No
.ar  Argentina No
.as  American Samoa No
.at  Austria No
.au  Australia No
.aw  Aruba No
.ax  Åland No
.az  Azerbaijan No
.ba  Bosnia and Herzegovina No
.bb  Barbados No
.bd  Bangladesh No
.be  Belgium Yes
.bf  Burkina Faso No
.bg  Bulgaria Yes
.bh  Bahrain No
.bi  Burundi No
.bj  Benin No
.bm  Bermuda No
.bn  Brunei No
.bo  Bolivia No
.br  Brazil Yes
.bs  Bahamas No
.bt  Bhutan No
.bv  Bouvet Island No
.bw  Botswana No
.by  Belarus No
.bz  Belize Yes
.ca  Canada Yes
.cc  Cocos (Keeling) Islands Yes
.cd  Democratic Republic of the Congo No
.cf  Central African Republic No
.cg  Republic of the Congo No
.ch   Switzerland Yes
.ci  Côte d’Ivoire No
.ck  Cook Islands No
.cl  Chile Yes
.cm  Cameroon No
.cn  People’s Republic of China No
.co  Colombia Yes
.cr  Costa Rica Yes
.cs  Czechoslovakia No
.cu  Cuba No
.cv  Cape Verde No
.cx  Christmas Island Yes
.cy  Cyprus No
.cz  Czech Republic Yes
.dd  East Germany No
.de  Germany Yes
.dj  Djibouti No
.dk  Denmark Yes
.dm  Dominica No
.do  Dominican Republic No
.dz  Algeria No
.ec  Ecuador No
.ee  Estonia No
.eg  Egypt No
.eh  Western Sahara No
.er  Eritrea No
.es  Spain No
.et  Ethiopia No
.eu  European Union Yes
.fi  Finland Yes
.fj  Fiji No
.fk  Falkland Islands No
.fm  Federated States of Micronesia No
.fo  Faroe Islands Yes
.fr  France Yes
.ga  Gabon No
.gb  United Kingdom No
.gd  Grenada No
.ge  Georgia No
.gf  French Guiana No
.gg  Guernsey No
.gh  Ghana No
.gi  Gibraltar Yes
.gl  Greenland Yes
.gm  The Gambia No
.gn  Guinea Yes
.gp  Guadeloupe No
.gq  Equatorial Guinea No
.gr  Greece Yes
.gs  South Georgia and the South Sandwich Islands No
.gt  Guatemala No
.gu  Guam No
.gw  Guinea-Bissau No
.gy  Guyana No
.hk  Hong Kong No
.hm  Heard Island and McDonald Islands No
.hn  Honduras Yes
.hr  Croatia No
.ht  Haiti No
.hu  Hungary No
.id  Indonesia No
.ie  Ireland No
.il  Israel No
.im  Isle of Man No
.in  India Yes
.io  British Indian Ocean Territory Yes
.iq  Iraq No
.ir  Iran No
.is  Iceland No
.it  Italy No
.je  Jersey No
.jm  Jamaica No
.jo  Jordan No
.jp  Japan Yes
.ke  Kenya No
.kg  Kyrgyzstan Yes
.kh  Cambodia No
.ki  Kiribati No
.km  Comoros No
.kn  Saint Kitts and Nevis No
.kp  Democratic People’s Republic of Korea No
.kr  Republic of Korea Yes
.kw  Kuwait No
.ky  Cayman Islands No
.kz  Kazakhstan No
.la  Laos Yes
.lb  Lebanon Yes
.lc  Saint Lucia Yes
.li  Liechtenstein Yes
.lk  Sri Lanka Yes
.lr  Liberia Partial
.ls  Lesotho No
.lt  Lithuania Yes
.lu  Luxembourg Yes
.lv  Latvia Yes
.ly  Libya No
.ma  Morocco Partial
.mc  Monaco No
.md  Moldova No
.me  Montenegro Yes
.mg  Madagascar No
.mh  Marshall Islands No
.mk  Macedonia No
.ml  Mali No
.mm  Myanmar Yes
.mn  Mongolia Yes
.mo  Macau No
.mp  Northern Mariana Islands No
.mq  Martinique No
.mr  Mauritania No
.ms  Montserrat No
.mt  Malta No
.mu  Mauritius No
.mv  Maldives No
.mw  Malawi No
.mx  Mexico No
.my  Malaysia Yes
.mz  Mozambique No
.na  Namibia Yes
.nc  New Caledonia Yes
.ne  Niger No
.nf  Norfolk Island Yes
.ng  Nigeria No
.ni  Nicaragua No
.nl  Netherlands Yes
.no  Norway No
.np    Nepal No
.nr  Nauru No
.nu  Niue Yes
.nz  New Zealand Yes
.om  Oman No
.pa  Panama No
.pe  Peru No
.pf  French Polynesia No
.pg  Papua New Guinea No
.ph  Philippines No
.pk  Pakistan No
.pl  Poland Yes
.pm  Saint-Pierre and Miquelon Yes
.pn  Pitcairn Islands No
.pr  Puerto Rico Yes
.ps  State of Palestine[17] No
.pt  Portugal Yes
.pw  Palau Yes
.py  Paraguay No
.qa  Qatar No
.re  Réunion Yes
.ro  Romania No
.rs  Serbia No
.ru  Russia Yes
.rw  Rwanda No
.sa  Saudi Arabia No
.sb  Solomon Islands No
.sc  Seychelles Yes
.sd  Sudan No
.se  Sweden Yes
.sg  Singapore No
.sh  Saint Helena Yes
.si  Slovenia Yes
.sj  Svalbard and
 Jan Mayen Islands
No
.sk  Slovakia No
.sl  Sierra Leone No
.sm  San Marino No
.sn  Senegal No
.so  Somalia No
.sr  Suriname No
.ss  South Sudan No
.st  São Tomé and Príncipe No
.su  Soviet Union Yes
.sv  El Salvador No
.sx  Sint Maarten Yes
.sy  Syria No
.sz  Swaziland No
.tc  Turks and Caicos Islands No
.td  Chad No
.tf  French Southern and Antarctic Lands Yes
.tg  Togo No
.th  Thailand Yes
.tj  Tajikistan No
.tk  Tokelau No
.tl  East Timor No
.tm  Turkmenistan Yes
.tn  Tunisia No
.to  Tonga No
.tp  East Timor No
.tr  Turkey No
.tt  Trinidad and Tobago Yes
.tv  Tuvalu Yes
.tw  Taiwan Yes
.tz  Tanzania Yes
.ua  Ukraine Yes
.ug  Uganda Yes
.uk  United Kingdom Yes
.us  United States of America Yes
.uy  Uruguay No
.uz  Uzbekistan No
.va   Vatican City No
.vc  Saint Vincent and the Grenadines Partial
.ve  Venezuela No
.vg  British Virgin Islands No
.vi  United States Virgin Islands No
.vn  Vietnam No
.vu  Vanuatu No
.wf  Wallis and Futuna Yes
.ws  Samoa No
.ye  Yemen No
.yt  Mayotte Yes
.yu  SFR Yugoslavia
 FR Yugoslavia
No
.za  South Africa No
.zm  Zambia No
.zw  Zimbabwe No

 

DNSSEC support for generic top-level domains

Domain Name Entity DNSSEC
.aero air-transport industry No
.asia Asia-Pacific region Yes
.biz business Yes
.cat Catalan Yes
.com commercial Yes
.coop cooperatives No
.info information Yes
.int international organizations No
.jobs companies No
.mobi mobile devices No
.museum museums Yes
.name individuals, by name No
.net network Yes
.org organization Yes
.post postal services Yes
.pro professions No
.tel Internet communication services No
.travel travel and tourism industry related sites No
.xxx adult entertainment No

 

DNSSEC support for USA top-level domains

Domain Name Entity DNSSEC
.edu educational Yes
.gov governmental Yes
.mil US military Yes

 

Worldwide map of DNSSEC deployment


View Larger Map