Domain Name System Security Extensions (DNSSEC)

The Domain Name System Security Extensions (DNSSEC) is a set of Internet Engineering Task Force (IETF) specifications that protects information provided by the Domain Name System (DNS).

It accomplishes this by adding cryptographic authentication for responses received from authoritative DNS servers. In this way, it protects users against hackers that want to direct them to rogue websites and servers, which could, ultimately result in the loss of personal information.

What is DNSSEC Used For?

By design, DNSSEC secures DNS servers by providing cryptographic verification. It does this through the use of digital signatures. These signatures are used to validate the DNS records delivered in a response that came from a DNS server.

Like Transport Layer Security (TLS) and other security protocols, it relies on public key cryptography. Here, each authoritative name server has a public key and a private key which are cryptographically linked to each other.

The private key is used to sign DNS records and the signature itself is also stored as part of the DNS record. The public key which is used to validate the signature is also stored in the DNS record.

This means that during a DNS lookup the public key is retrieved, and it is then used to validate the authenticity of the DNS data by confirming that the digital signature is valid. If the signature is not valid, the data is discarded, and the user receives an error.​

In other words, DNSSEC enhances DNS with two notable features. The first is data origin authentication which allows a DNS resolver to verify that the data actually came from where it should. It also adds data integrity protection which enables the DNS resolver to know that the data hasn't been modified in transit.

Why is DNSSEC Important?

It's crucial for securing the Internet as a whole that the DNS is secured. DNSSEC plays a vital role in this. Unfortunately, it doesn't solve all of the problems with DNS security. For one, to be truly effective it must be applied and enforced everywhere on all DNS zones.

Likewise, although it gives some protection to secure the DNS, it lacks protection for the so-called last mile or the transmission between the DNS resolver and the user of that resolver. This is, for instance, the case where a user accesses the Internet but uses an older model of router that does not support DNSSEC.