DNSSEC: Domain Name System Security Extensions
DNSSEC is a protocol standardised by the IETF that addresses certain security issues related to the DNS protocol. The specifications are published in RFC 4033 and subsequent documents.
Why DNSSEC?
The Domain Name System (DNS) is a service that establishes a correspondence between an IP address and a domain name to exchange data and retrieve information. It acts like a directory for the Web: it tells computers where to find the information corresponding to a website and a domain name.
Unfortunately, it accepts all information associated with a domain name without any verification, and thus any internet address or IP given to it, without question. This is one of the main vulnerabilities of the DNS system because it does not verify credentials before accepting a response. The information it receives can come from any server; the DNS system cannot verify it and will accept all responses. This is precisely the flaw exploited by DNS attacks of the "man in the middle" type.
This is where the DNSSEC protocol comes in: it adds a layer of trust to the DNS system by validating its authenticity and integrity. DNSSEC ensures that resolvers have indeed retrieved data from a trusted authoritative server that has been authenticated, and that the data is intact (not modified) from the source, by verifying DNS records.
How does DNSSEC work?
DNSSEC secures the DNS system by adding encrypted signatures to existing DNS records in a zone. These digital signatures are stored on name servers (NS) and associated with common DNS records such as A, AAAA, MX, CNAME, TXT, etc. By verifying the signature associated with a record, you can confirm that a requested DNS record indeed comes from its authoritative name server (NS) and has not been altered en route, unlike a fake record injected in a man-in-the-middle attack.
DNSSEC verifies end-to-end that authentication signatures are valid and have been generated with the keys of legitimate servers (keys themselves signed and authenticated). This system thus creates a chain of trust at every step of domain name resolution. If the signatures do not match, DNSSEC can notify of the discrepancy and prevent the resolution process, thus avoiding the domain name being routed to incorrect servers and ensuring that the returned information is authentic.
This verification is done in two steps:
1/ Was the information retrieved from the correct place and server?
2/ Is the information intact and unmodified in transit?
To facilitate signature validation, DNSSEC adds several new types of DNS records:
- RRSIG: contains an encrypted signature (RRset Signature), valid for a set of DNS records with the same name and type
- DNSKEY (DNSSEC public key): contains a public signing key that resolvers can use to verify DNSSEC signatures in RRSIG records
- DS (Delegation Signer): contains the hash of a DNSKEY record, used by DNSSEC to enable trust transfer from a parent zone to a child zone
- NSEC and NSEC3: provide proof of non-existence of a DNS record
- CDNSKEY and CDS: used by a child zone requesting updates of one or more DS records in the parent zone
RRset
The first step in securing a zone with DNSSEC is to group all records of the same type into a resource record set (RRset). For example, if three A records in your zone have the same label (i.e., label.example.com), they will all be grouped into a single A RRset. It is this complete RRset that is digitally signed, not the individual records.
You will thus have an RRset grouping each type of record present in your zone for a given label. This means that all records of the same type present in a zone and bearing the same label must be requested and validated.
Summary DNSSEC
In summary, DNSSEC adds an additional security layer by enabling authenticated DNS responses. To do this, the DNSSEC protocol signs DNS responses so that alterations or forgeries can be detected and blocked.
IMORTANT:
- DNSSEC is not supported or activatable on all extensions/TLDs; some registries/TLDs are not compatible. ICANN - List of TLDs supporting DNSSEC
- Certain types of DNS records are not supported for DNSSEC-signed zones. For example, the use of APEX ALIAS records is not supported for DNSSEC-signed zones, and in the worst-case scenario, this will compromise the DNSSEC security of the zone.
- We always recommend to wait at least 48 hours after disabling DNSSEC before enabling it again. Some DNS caches may still have old DNS keys cached even if their TTL has already expired.
How to enable DNSSEC
In order to enable DNSSEC for your domain name registered and technically managed (DNS) with our services:
Log in to your account, access your domain portfolio and select the domain(s) for which you want to activate DNSSEC, then click on DNSSEC > "⊕ Activate DNSSEC".
That’s it! DNSSEC is installed on the zone of the concerned domain and a DS record is set up with the registry.
More information: How to activate/deactivate DNSSEC
If you want to enable DNSSEC for your domain name registered with our services but with external DNS management, please contact directly our Customer Care Department at support@brandshelter.com, or alternatively your account manager if you have one.
What is a DS record?
A Delegation Signer (DS) record provides information about a signed zone file. Activating DNSSEC for your domain name requires this information to complete the configuration of your signed domain name.
The information included in a DS record varies depending on the domain name extension.
Help & Deployment
• More info on DNSSEC: www.dnssec.net
• ICANN - List of TLDs supporting DNSSEC
• DNSSEC signature expirations (RRSIG Validity)
• AFNIC - Deploying DNSSEC: how, what, where?
• ICANN - DNSSEC - What Is It and Why Is It Important? (English version): https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en
• ICANN - DNSSEC Deployment: https://dnssec-deployment.icann.org/en/dnssec/
• Internet Society - DNSSEC Basics, Introduction and Deployment (with animation)
• Internet Society - How To Secure And Sign Your Domain With DNSSEC Using Domain Registrars
• Internet Society - Step-By-Step: How To Use a DNSSEC DS Record to Link a Registrar To A DNS Hosting Provider
• Verisign DNSSEC Resource Center - verisign.com/dnssec
Tools & Tests
• Test if you are protected by DNSSEC signature validation. An initiative by the Internet community and the Dutch government: https://en.conn.internet.nl/connection/
• DNSSEC Analyzer & Debugger - Verisign Labs: https://dnssec-analyzer.verisignlabs.com/ & https://dnssec-debugger.verisignlabs.com/
• Internet Society - Testing: DNSSEC Analyzer: Help for using Verisign Labs’ tool
• DNSViz - DNSViz is a tool to visualise the state of a DNS zone. It was designed as a resource to understand and troubleshoot DNSSEC deployment. It provides a visual analysis of the DNSSEC authentication chain of a domain name and its resolution path in the DNS namespace, listing configuration errors detected by the tool. Watch this webinar to learn more about DNSViz and how to use it.
• Zonemaster: Give your domain name a complete checkup! Zonemaster helps you assess how your domain name is doing, and performs many tests, such as checking DNSSEC signatures, or that different hosts can be accessed and that IP addresses are valid.
• Confirm DS record from DNSKEY: https://filippo.io/dnskey-to-ds/