Domain Name System Security Extensions (DNSSEC) present new opportunities for registrars, ISPs and hosters. By implementing DNESSEC, you can establish yourself as a security-conscious company and offer a safer Internet experience to your customers.
What is DNSSEC?
DNSSEC adds security to the Domain Name System (DNS).
DNSSEC was designed to protect the Internet from certain attacks, such as DNS cache poisoning. It is a set of extensions to DNS, which provide:
- Origin authentication of DNS data
- Data integrity
- Authenticated denial of existence.
These mechanisms require changes to the DNS protocol. DNSSEC adds four new resource record (RR) types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS) and Next Secure (NSEC). These new RRs are described in detail in RFC 4034.
It also adds two new DNS header flags: Checking Disabled (CD) and Authenticated Data (AD). To be able to support the larger DNS message sizes that result from adding the DNSSEC RRs, DNSSEC also requires EDNS0 support (RFC 2671).
Finally, DNSSEC requires support for the DNSSEC OK (DO) EDNS header bit (RFC 3225) so that a security-aware resolver can indicate in its queries that it wishes to receive DNSSEC RRs in response messages. By checking the signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server.
DNSSEC services protect against most of the threats to the Domain Name System. There are several distinct classes of threats to the DNS, most of which are DNS-related instances of more general problems, but a few of which are specific to peculiarities of the DNS protocol.