6 April 2023
An Introduction to DNSSEC
DNSSEC (Domain Name System Security Extensions) is a technology that provides an additional layer of security to the Domain Name System (DNS) by adding digital signatures to DNS data. DNS is responsible for translating human-readable domain names, such as example.com, into IP addresses that computers use to identify each other on the internet.
With DNSSEC, digital signatures are added to DNS records, allowing DNS resolvers to verify that the information they receive from a DNS server is authentic and hasn’t been modified in transit. This helps prevent attackers from intercepting DNS queries and returning incorrect IP addresses that lead users to malicious websites, a tactic known as DNS spoofing or DNS cache poisoning.
Australian brands have been slow to implement DNSSEC compared to American and European brands, despite the many benefits. Therefore, we have decided to dive into some of the pros and cons of DNSSEC in the hope that we can encourage more brands to take up DNSSEC and significantly improve their security posture.
How does DNSSEC work?
DNSSEC works by adding digital signatures to DNS data, starting from the root zone of the DNS hierarchy down to the individual domain names. These signatures are generated using public-key cryptography.
When a client requests a DNS resolution, the DNS resolver requests the necessary DNS data from the authoritative name server of the domain. With DNSSEC, the authoritative name server provides not only the requested DNS data, but also a digital signature of the data.
The digital signature is created using the private key of the zone’s DNSSEC key pair, which is kept securely with the zone administrator. The public key is published in the DNS, allowing anyone to verify the digital signatures of the DNS data using the public key.
The DNS resolver then uses the public key to validate the digital signature of the DNS data. If the digital signature is valid, the resolver knows that the DNS data has not been tampered with and can be trusted.
By providing a chain of trust from the root zone to the individual domain names, DNSSEC helps prevent DNS spoofing and other types of DNS attacks.
Background of DNSSEC: Fixing a major design flaw
In the early days of the internet, little attention was paid to security vulnerabilities. It wasn’t until internet security researcher Dan Kaminsky discovered a serious design flaw in the DNS protocol that significant efforts were made to address these issues. Kaminsky’s discovery exposed a shortcoming in the DNS protocol that allowed attackers to launch cache poisoning attacks against the lookup side of the DNS, putting users’ digital safety at risk.
Thanks to Kaminsky’s efforts, the DNS technical community began to take steps to improve the security of the DNS. In 2008, ICANN signed the root zone for the first time, representing a significant milestone for DNSSEC. In 2018, the root zone’s key signing key was successfully updated for the first time, further strengthening the security of the DNS.
However, the importance of DNSSEC was highlighted by a series of international DNS hijacking campaigns in 2018 and 2019. These attacks prompted the United States Cybersecurity and Infrastructure Security Agency (US-CERT) to issue its first-ever Emergency Directive, calling on all DNS stakeholders to fully deploy DNSSEC.
Moving forward, ICANN is committed to promoting the use of DNSSEC to ensure the security and integrity of the DNS. The organization will continue to encourage ccTLDs that have not yet signed their zones to do so, and will urge DNS resolver operators to enable DNSSEC validation to prevent DNS attacks. Thanks to the efforts of Kaminsky and other internet security researchers, the online world is becoming a safer place for users around the globe.
Pros of DNSSEC
- Authentication: DNSSEC provides authentication and data integrity of DNS responses, ensuring that the data received from a DNS server is legitimate and has not been tampered with.
- Security: DNSSEC helps protect against various DNS-based attacks, such as DNS spoofing, cache poisoning, and man-in-the-middle attacks.
- Trust: DNSSEC builds trust in the DNS system, as it ensures that the domain name system is secured and verified, and that users are communicating with the intended server.
- Privacy: DNSSEC provides privacy protection by preventing attackers from seeing the domain names being queried by users.
Cons of DNSSEC
- Implementation: DNSSEC implementation can be complex and time-consuming, requiring significant expertise and resources.
- Compatibility: DNSSEC is not widely adopted, and not all DNS servers and applications support it. This can create compatibility issues with some applications and services.
- Management: DNSSEC requires careful management, as it requires ongoing maintenance and updates to keep the system secure.
- Performance: DNSSEC can add a small amount of overhead to DNS queries, which can impact performance in some cases. However, this is typically not a significant issue for most users.
Implementation Considerations
The implementation of DNSSEC involves several planning considerations such as assessing the impact on network performance, ensuring compatibility with existing DNS servers and clients, and managing key generation, storage, and distribution. While DNSSEC offers many benefits, such as improved security and trustworthiness of DNS data, it also has some drawbacks, such as increased complexity and management overhead. Despite these challenges, DNSSEC remains an important security measure for organizations that rely on DNS to provide critical services to their users.
About brandsec
brandsec is an Australian domain name management provider that offers online brand management solutions to corporate and government organisations.
Our services include domain name management, domain name security, domain name policy development, dispute management, monitoring, and enforcement services. Additionally, brandsec offers a comprehensive online brand protection service that covers various platforms such as websites, social media, email, and online marketplaces. The service addresses issues related to counterfeiting, fakes, copyright infringement, intellectual property (IP) matters, piracy, and other intellectual protection-related issues.