DNSSEC

DNSSEC


DNSSEC, short for Domain Name System Security Extensions, is a suite of specifications for securing certain kinds of information provided by the Domain Name System (DNS). It is designed to protect against a range of DNS attacks such as cache poisoning, where a DNS query is redirected from a legitimate to a malicious site.

 Why You Need DNSSEC   

  1. Integrity: DNSSEC ensures that the information you receive from a DNS query is exactly what the domain owner entered, with no modifications en route, guaranteeing data integrity.

  1. Authentication: It provides a means to verify that the source of your DNS data is legitimate (authenticity) and not a malicious actor trying to intercept or manipulate DNS queries.

  1. Trust: By building a chain of trust from the root DNS servers down to the specific DNS entry for a domain, DNSSEC prevents attackers from inserting malicious DNS data into the responses to DNS queries.

 

 What DNSSEC Does   

 
  • Digital Signing: DNSSEC works by digitally signing these records for DNS lookup using public-key cryptography. Each DNS zone has a private key that is used to sign the zone's DNS records, and a public key that is used to validate the signatures.

  • Chain of Trust: Starting from the DNS root zone, each level of the DNS hierarchy has its own pair of keys and signs the keys for the level below it, creating a chain of trust down to the individual DNS record level.

  • Non-Repudiation: Because of the digital signatures, DNS data cannot be tampered with without detection, providing non-repudiation, which is the assurance that someone cannot deny the validity of something.

  • Validation: Resolving name servers, which are configured to use DNSSEC, can then validate these signatures using the public key, ensuring that the DNS data has not been modified.

 

DNSSEC is necessary to combat the inherent vulnerabilities in the traditional DNS system that make it susceptible to various forms of attack. By providing a way to verify the authenticity of DNS data, DNSSEC adds a layer of security to the domain name lookup process.

 

 Configuring DNSSEC    in DDI

 

To enable DNSSEC:

  • DDI deploys DNSSEC signing to sign the DNS responses of a particular zone. Navigate to the domain of your choice and  click on the DNSSEC button with the icon of an opened lock on the top right corner.

  • Click on the Sign button.

 

 

 

  • After the domain of your choice is signed successfully, a DNSKEY record, a DS record are created automatically within the zone. DDI displays the DNSSEC key tag, algorithm, digest type, digest under DS Records, flags along with a public key, Key Signing Keys(KSK), Zone Signing Keys(ZSK) associated with the particular zone. Copy these details in your clipboard as you'll need these details to update your registrar.

  • You can also see the Unsign button with a closed lock on the top right corner indicating DNSSEC is enabled for the zone.

  • Once DNSSEC  signing is enabled on a zone and the appropriate information is given to your registrar, DNSSEC supporting resolvers will begin to validate DNS responses returned by your on-prem nameservers.

  • You can also revoke DNSSEC for a particular zone by clicking the Unsign button at the top right corner.

 

 

 

 

                  New to ADSelfService Plus?

                    • Related Articles

                    • DNS64

                      What is DNS64? DNS64 is a mechanism used in IPv6 networks to facilitate communication between IPv6-only clients and IPv4-only servers. This is especially important in the context of the ongoing transition from IPv4 to IPv6. Since these are two ...
                    • Managing DNS Views

                      What are DNS views? DNS views or Domain views serve different responses to DNS queries based on various criteria, most commonly the source of the query or the host accessing it. This indicates that the DNS server can present one set of DNS ...
                    • Creating Forward zones

                      DNS Zone Forwarding or Forward Zones in DDI refers to the process of redirecting queries for a specific DNS zone to another DNS server. This is typically used when a DNS server is not authoritative for a particular zone but is configured to pass ...
                    • Managing DNS resource records

                      What are domain Resource Records (RR)? Resource Records (RRs) are the fundamental information elements of the Domain Name System (DNS). Each RR defines a specific piece of information about the domain. Here are the general components of an RR: Name: ...