What is DNSSEC?

Featured article by True Tamplin, Independent Technology Author

Internet security is, to put it lightly, a really big deal. Sometimes the problem with internet security isn’t clever hackers finding ways around complex systems—sometimes the systems are just innately vulnerable. Why and where this is the case is best understood by recognizing that, when the internet was being formed in the 1980’s, it was new, its potential was wholly unknown, and it was mostly only of interest to governments, militaries, and a small few technology enthusiasts and scientists at technical universities. Nowadays, however, the internet has become extremely public and extremely common, and, whether they realize it or not, many people attach a huge part of their lives to it. As the internet evolved, the protocols securing it were slow to adapt to the changes occuring. As a result, some of the systems the internet uses, many of which are still widely used today, are easy to exploit by hackers. To fortify these weak areas, certain protocols can be put into place to modify the vulnerable systems and make them more secure. This is precisely what DNSSEC, or Domain Name System Security Extensions, does. You can enable DNSSEC, for example, through your domain registrar. Sites like 101domain offer DNSSEC as part of their advanced security & tools. In other cases, enabling it is as simple as messing with a few lines of code. But what exactly is DNSSEC? This article will break it down for you

What is DNS?

To understand how DNSSEC works, it is helpful to first understand how the domain name system, or DNS, works. DNS is a system that allows for a website’s IP address to be interacted with as a domain name on the human side of web browsing. For example, with DNS, when you enter a domain name like wikipedia.org into your search engine, the DNS uses various tools to translate that domain into an IP address, search for the website that has the correct IP address, and direct you to that site. Imagine, for a moment, if every time you wanted to visit a website you had to remember that the IP address for wikipedia was 11:111:11:111, and that the IP for gmail.com was 22:222:22:222, and so on. In short, DNS massively simplifies the process of browsing the internet.

The tools used in DNS queries are pretty simple. When you enter a domain name into a web browser, it uses a stub resolver, which is part of your device’s operating system, to first translate the domain into an IP address. The request for that IP is then sent to a recursive resolver, which is typically hosted by a network provider. The recursive resolver tracks down the IP the stub asked for and returns it to the device.

DNS has a problem, however. It was designed in the 1980’s, when security was not a serious concern for people surfing the internet. Therefore, when your device sends out a query looking for an IP address, it has no way of verifying for sure that the response it gets from a DNS server is genuine. It is possible for a hacker to fake, or “spoof” an IP address, and if the recursive resolver receives the fake address, because it looks like it received the response it was looking for, it will return the fake address to the user, directing them to a fraudulent website created by the hacker.

The problem with this should be pretty clear, but an example may make it even more vivid. ICANN (the Internet Corporation for Assigned Names and NUmbers) gives a good and somewhat terrifying one on their article about DNS:

“This fraudulent website impersonates [a] bank website and looks just the same. The unknowing user would enter their name and password, as usual. Unfortunately, the user has inadvertently providing [sic] their banking credentials to the attacker, who could then log in as that user at the legitimate bank web site to transfer funds or take other unauthorized actions.”

What is DNSSEC?

DNSSEC is a system that provides a way for a recursive resolver to verify the legitimacy of an IP address. Essentially, it works by asking the recursive resolver to look for a “signature” on a returned IP which verifies the authenticity of the data. Every DNS “zone” (to use the technical term) using this system has a public key and a private key that it uses to cryptographically sign their data. The private key is used to produce the signature, and then the resolver uses the public key and the signature to verify that data it receives. Because the signature and key are public, however, they would still be able to be retrieved by a hacker, so the layers of security don’t stop there. While the data is signed by the DNS zone’s private key, the public key is signed by the “parent zone’s” private key. The public key for this zone is then signed by the next zone up until it reaches the “root zone.” To give an illustration, the wikipedia.org zone’s public key is signed by the org zone’s key, and so on.

The root zone, therefore, is the starting point for DNS security: if the resolver can trust the root zone’s key, then it can trust all of the key’s signed under that key.

Getting DNSSEC Through Your Domain Registrar

So how do you get DNSSEC for your website? Like we suggested earlier, you can typically enable DNSSEC through your domain registrar, but it isn’t always automatic. Particularly when dealing with a registrar, you will most likely have to communicate, through them, the public key material for the DNS zone to the zone’s parent. In most cases, however, it is still extremely simple and requires no technical knowhow whatsoever. Many registrars even allow you to enable DNSSEC when you register a domain with them. If you are looking to register a domain name for your new website, strongly consider enabling DNSSEC.

True Tamplin is a technology specialist, author, and public speaker. He writes on a broad range of technical topics including search engine optimization, cybersecurity, and technology relating to the internet.