Quick Guide to DNSSEC

There are many ways for hackers to take advantage of the infrastructure that's used to deliver web assets around the world. One of these ways is through intercepting the IP lookup of a domain and redirecting the user to a malicious destination. There are certain vulnerabilities inherent to a DNS that can be mitigated with the help of DNSSEC (a set of protocols that add an additional layer of security to the domain name system.
This article will provide a brief introduction into what DNSSEC is, why it is important, and the pros and cons of implementing it.
What is a DNS?
Words are easier to remember than numbers, which is why we have the Domain Name System, or DNS. The DNS translates domain names, like www.google.com, into numeric IP addresses. Translation takes place within a DNS server where domain name information is stored.
While the DNS has made life easier in many ways, it can be the source of security breaches. Fortunately, extensions exist to mitigate vulnerabilities. These security protocols are collectively called domain name system security extensions, or DNSSEC.
How does a DNS work?
The DNS is often referred to as the "phone book of the internet" because of how it looks up IP addresses. DNS translation takes place in steps, and it starts at the root Zone, or the top level of the directory service. For example, when you enter www.google.com into a browser, the DNS resolver asks the root Zone directory where to look for the ".com" directory. Next, the resolver asks the ".com" directory where to find the "google.com" directory. Finally, it asks the "google.com" directory where to find "www.google.com" for the full requested IP address. Hackers can hijack any step of this process, which is why we need DNSSEC.
To learn more about how the DNS works, check out our complete what is a DNS guide.
What is DNSSEC?
The primary purpose of DNSSEC is to make sure that internet users aren't redirected to fraudulent IP addresses. The protocols protect against man-in-the-middle attacks, pharming, cache poisoning and other types of cyber attacks by matching cryptographic signatures to DNS records. It does not, however, defend against DDoS attacks.
Digital signatures reside on the DNS server and are verified by a resolver. When a user enters a web address into their browser, the resolver checks to make sure that the digital signatures embedded in the data are identical to those residing in the master DNS server. If so, the connection can commence. DNSSEC must be deployed at each step from the root Zone to the final domain name destination.
How does DNSSEC work?
DNSSEC helps ensure you're reaching the site you intended to visit by using public keys and digital signatures to verify data. It does so by adding new records to the DNS settings such as the following:
- RRSIG: holds cryptographic signatures
- DNSKEY: holds public signing keys
- DS: holds hashes of DNSKEY records
- NSEC and NSEC3: provides denials-of-existence of DNS records
- CDNSKEY and CDS: facilitates DS update requests between child and parent Zones
These records can be accessed in the same way as a regular DNS record such as a CNAME or A record however they are used to digitally sign a domain. DNSSEC also involves two main types of keys:
- Zone-signing keys, or ZSKs: contain both a public and private key portion and validate specific record sets within a Zone
- Key-signing keys, or KSKs: sign DNSKEY records
Each signed nameserver possesses one public key and one private key. When a client makes a request, the data they transmit is signed with a private key, which the recipient then opens with a public key. If a third party attempts to intervene without the public key, the recipient knows that the data is fraudulent. Because DNSSEC doesn't come with any encryption algorithms, it can't provide data confidentiality; it just helps the DNS server verify the authenticity of data requests.
Pros of enabling DNSSEC
- Added protection against MITM attacks, DNS spoofing, cache poisoning, etc
- Increases trust for online activities such as ecommerce, VoIP, etc
Cons of enabling DNSSEC
- Added complexity both on the client and server side
- Limited support from TLD and DNS servers
- Additional costs in the event that you move from managing your own DNS to managed DNS provider to reduce complexity
Summary
Unlike HTTPS, which actually encrypts web traffic, DNSSEC simply allows DNS servers to identify and turn away potential malefactors.
As for DNSSEC deployment, it is still in the growing process and even if you wanted to implement it, most top-level domains don't currently support it. As it currently stands, the benefit-cost ratio does not weigh in the favor of DNSSEC simply because it is still too early. The lack of knowledge and the incompatibility in client/server side technology makes it difficult to adopt.
However, as security concerns continue to plague the Internet, perhaps the adoption rate of DNSSEC will continue to grow. While DNSSEC doesn't address all of our internet security woes, full deployment makes the directory lookup process safer for everyone.