DNSSEC, short for Domain Name System Security Extensions, is a suite of specifications for securing certain kinds of information provided by the Domain Name System (DNS). It is designed to protect against a range of DNS attacks such as cache poisoning, where a DNS query is redirected from a legitimate to a malicious site.
Why You Need DNSSEC
Integrity: DNSSEC ensures that the information you receive from a DNS query is exactly what the domain owner entered, with no modifications en route, guaranteeing data integrity.
Authentication: It provides a means to verify that the source of your DNS data is legitimate (authenticity) and not a malicious actor trying to intercept or manipulate DNS queries.
Trust: By building a chain of trust from the root DNS servers down to the specific DNS entry for a domain, DNSSEC prevents attackers from inserting malicious DNS data into the responses to DNS queries.
Digital Signing: DNSSEC works by digitally signing these records for DNS lookup using public-key cryptography. Each DNS zone has a private key that is used to sign the zone's DNS records, and a public key that is used to validate the signatures.
Chain of Trust: Starting from the DNS root zone, each level of the DNS hierarchy has its own pair of keys and signs the keys for the level below it, creating a chain of trust down to the individual DNS record level.
Non-Repudiation: Because of the digital signatures, DNS data cannot be tampered with without detection, providing non-repudiation, which is the assurance that someone cannot deny the validity of something.
Validation: Resolving name servers, which are configured to use DNSSEC, can then validate these signatures using the public key, ensuring that the DNS data has not been modified.
DNSSEC is necessary to combat the inherent vulnerabilities in the traditional DNS system that make it susceptible to various forms of attack. By providing a way to verify the authenticity of DNS data, DNSSEC adds a layer of security to the domain name lookup process.
To enable DNSSEC:
DDI deploys DNSSEC signing to sign the DNS responses of a particular zone. Navigate to the domain of your choice and click on the DNSSEC button with the icon of an opened lock on the top right corner.
Click on the Sign button.
After the domain of your choice is signed successfully, a DNSKEY record, a DS record are created automatically within the zone. DDI displays the DNSSEC key tag, algorithm, digest type, digest under DS Records, flags along with a public key, Key Signing Keys(KSK), Zone Signing Keys(ZSK) associated with the particular zone. Copy these details in your clipboard as you'll need these details to update your registrar.
You can also see the Unsign button with a closed lock on the top right corner indicating DNSSEC is enabled for the zone.
Once DNSSEC signing is enabled on a zone and the appropriate information is given to your registrar, DNSSEC supporting resolvers will begin to validate DNS responses returned by your on-prem nameservers.
You can also revoke DNSSEC for a particular zone by clicking the Unsign button at the top right corner.