Domain Name System Security Extensions (DNSSEC) add digital signatures to a domain name's DNS (Domain Name System) to determine the authenticity of the source domain name.
DNSSEC is a set of extensions to DNS that provides:
DNSSEC addresses an identified security risk and helps prevent malicious activities like cache poisoning, pharming, and man-in-the-middle attacks. It uses a digital signature to create a chain of authority. Then, it uses the chain to verify that the source domain name, which the DNS resolver returns, matches the DNS record stored at the authoritative DNS. If it cannot validate the source, it discards the response.
We currently offer two types of DNSSEC: self-managed and fully managed. The criteria differ depending on which type you want to use.
To Use Self-Managed DNSSEC Services:
To Use Fully Managed DNSSEC Services:
DNSSEC adds a digital signature to each piece of a domain name's DNS information. When a visitor enters the domain name's URL in a browser, the resolver (the conversion from the people-friendly domain name URL to the numeric address used by the Internet) verifies the digital signature. The digital signature must match the value on file at the registry, or the resolver discards the response.
Here's another way to look at it: Website A has information that Visitor B wants. The messenger, i.e., the resolver, receives the information from Website A but delivers it to Visitor B only if Website A can identify itself properly. To authenticate Website A, the messenger matches Website A's fingerprints against fingerprints on file for it at the registry.
DNSSEC's digital signature ensures that you're communicating with the Website or Internet location you intended to visit.
Remember that the digital signature you store in a DS (Delegation of Signing) record through the Domain Manager must match the digital signature that your domain name's nameservers produce. If it does not, by DNSSEC (Domain Name System Security Exentions) rules, the domain name cannot resolve to your website. Carefully review the DS record information you entered against the zone record stored on the nameserver and make sure they match.
See Manage DNSSEC for my domain for more information on viewing and updating your DS information.
To enable DNSSEC you must digitally create private and public keys and generate a Declaration of Signing record during the domain name signing process.
There are a number of resources on the Internet for those familiar with DNS. Refer to your nameserver documentation for more details.
Prerequisites for the Zone Signing Process:
The General Zone Signing Process
Specifics for this process are determined by your DNSSEC-aware nameservers and the domain name's registry.
See Manage DNSSEC for my domain for information on enabling and managing DNSSEC for your domain name through the Domain Manager.
Browsers are not currently set up to identify DNSSEC. They don't give you visual feedback for DNSSEC-secured Websites like they do when a Website is secured by an SSL — that is, the padlock icon.
If there's a verification problem with a DNSSEC-aware URL, however, you receive a message indicating that the Website does not exist — a 404 Not Found error.
DNSSEC (Domain Name System Security Extensions) is designed to protect Internet users from forged DNS data, such as a misleading or malicious address instead of the legitimate address that was requested. Here's the difference between DNSSEC-aware and non-aware lookups.
With these DNS lookups, your URL request goes to the Internet and accepts the first response it receives. If a malicious Internet player intercepts the request and sends back an incorrect response, the response you receive takes you to an unintended Internet Website where your personal information can be compromised.
Now imagine if that malicious address information is stored by Internet resolvers, ISPs for example, and then used by thousands of individual requests. Without DNSSEC, it's possible for an Internet resolver like an ISP to receive this malicious information and store it in their cache. Anyone using the ISP's cache gets the malicious address information until the cache is refreshed.
These DNS lookups go first to the domain name's registry and get a copy of the digital signature being used by the URL. The address response must also include a matching digital signature. If it doesn't, your browser can't display the Website. This way, you can't be redirected to a bogus location that you didn't request.
Implementing DNSSEC across the Internet is a bit like world peace: Everyone realizes that it's a great idea, but implementation requires effort, consensus, and expenses (often significan't) world-wide.
The Internet-wide implementation is moving steadily forward, one domain name extension and its registry at a time. As each extension becomes DNSSEC-aware, we'll be there to support the effort for domain names registered through us.
While every domain name can benefit from the security of DNSSEC (Domain Name System Security Extensions), Websites that accept personal, financial, or medical information plus any Websites at high risk for malicious activity should consider enabling DNSSEC.