DNSSEC adds a layer of security by making sure that the end user is connecting to the real, legitimate website or some other service associated with the given web address.
This is done by validating DNS responses through the use of digital signatures during each stage of the query process.
Related help topics
-
What is DNSSEC?
Domain Name Security Extensions (DNSSEC) is an advanced DNS feature that adds an extra layer of security to your domains by attaching digital signature (DS) records to their DNS information.
DNSSEC protects internet users and applications from forged domain name system (DNS) data by using public key cryptography to digitally sign authoritative zone data when it enters the DNS and then validate it at its destination.
Note: Thе DNSSEC feature requires changes to your DNS configuration, which might render your domain name non-functional.
-
Should I use DNSSEC?
While there is no absolute reason you shouldn't use DNSSEC, there are some things to consider.
DNSSEC is more information intensive and this can reduce site performance, for example it also makes DNS more fragile and this can increase the chance of failure.Enabling DNSSEC can be a valuable decision for those who have important data to protect and the potential risks are minimal.
If you are not a regular target of malicious activity, you do not collect sensitive data, you do not need DNSSEC. -
How to activate DNSSEC
This functionality is mainly for domains registered with us.
In case your domain is not registered with us, your DS record data will be available here instead.
The DNS zone will be signed with a 2048-bit key Signing Key and a 1024-bit Zone Signing KeyTo activate DNSSEC for your domain follow these steps:
1. Select the domain that you want to enable DNSSEC for from the Hostname menu.
2. Choose the DNSSEC encryption algorithm. It identifies the public key’s cryptographic algorithm and determines the format of the Public Key field.
While we recommend Algorithm 8: RSA/SHA-256, you can find more details about the rest here:
https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml3. The next step is the key-signing key (KSK) DS Record. The role of the key-signing key (KSK) is to validate the ZSK and provide a means of ensuring trust through the entire DNSSEC system.
- Keytag: The keytag is a number used to quickly identify this DS record. It is generated by your DNSSEC zone signing tools. Valid format is a number between 1 and 65535.
- Digest Type: Identifies the algorithm used to construct the digest.
- Digest: The DS record refers to a DNSKEY resource record by including a digest of that DNSKEY resource record.Once ready, click Add DNSSEC to enable it.
-
What does DNSSEC protect against?
DNSSEC is not a solution for all cyber security threats. It is designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning.
Currently, a DNS resolver sends a query out to the Internet and then accepts the first
response it receives, without question. If a malicious system were to send back an
incorrect response, the resolver would use this address until its cache expired. This is bad enough if it's a single user's computer that gets this bad data, it's much worse if it's another name server that answers queries for an ISP – affecting thousands of users. -
How does DNSSEC protect against this attack?
DNSSEC, when deployed and utilized, ensures that the answer you receive came from a trusted name server by using public key cryptography to digitally sign DNS data when it comes into the system and then validated at its destination.
In practice, this will come into effect when a registrant registers a domain name on the Internet with a registrar that supports DNSSEC, they will also then be able to have the domain name secured via DNSSEC.
By sending in additional information to their registrar, domain name holders can “sign” a domain name. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server.
-
Where can I find more information about DNSSEC?
For DNSSEC information specific to the root zone, see http://www.root-dnssec.org.
For DNSSEC technical information broader than the root, the dnssec.net
http://www.dnssec.net and dnssec-deployment.org http://www.dnssec-deployment.org web sites are both excellent resources to learn more about DNSSEC.You may also access visit the .ORG Advantage section of our website to see our DNSSEC Information Data Sheet http://pir.org/index.php?db=content/Website&tbl=ORG_Advantage&id=2.1