DNSSEC: Secure Your DNS with Cryptography

DNS was designed in the 1980s without security mechanisms: DNS responses are transmitted in clear text and accepted on trust. This weakness enables attacks like DNS spoofing or cache poisoning, where an attacker injects false DNS responses to redirect traffic to malicious servers. DNSSEC (DNS Security Extensions) solves this problem by adding cryptographic signatures to DNS responses.

With DNSSEC, each DNS record is accompanied by a digital signature. Resolvers can verify that the response actually comes from the authoritative server and hasn't been modified in transit. It's like a wax seal on a letter: you can verify it hasn't been opened and that it really comes from the legitimate sender.

Despite its advantages, DNSSEC remains under-deployed: complex configuration, key management, risk of outage if misconfigured. However, with modern tools and managed DNS providers, enabling DNSSEC has become much more accessible. For critical domains (banks, e-commerce, government), it's become a necessity.

How DNSSEC Works

DNSSEC uses asymmetric cryptography to sign and verify DNS responses:

• Key pairs: Each signed zone has a key pair: KSK (Key Signing Key) to sign keys, and ZSK (Zone Signing Key) to sign records. Regular ZSK rotation is recommended.
• RRSIG (Signatures): Each record set (RRset) is accompanied by an RRSIG, the cryptographic signature generated with the private key. The resolver verifies with the public key.
• DNSKEY and DS: DNSKEY publishes public keys in the zone. DS (Delegation Signer) is a hash of the KSK placed in the parent zone, creating the chain of trust.
• Chain of trust: Validation goes up to root servers (trust anchor). Each level signs the next: root → TLD → your domain.

Why Enable DNSSEC

DNSSEC protects against several types of DNS attacks:

• Cache poisoning: Without DNSSEC, an attacker can inject false responses into a resolver's cache, redirecting all users of that resolver to a malicious site.
• Man-in-the-middle: On a compromised network, an attacker can intercept and modify DNS responses. DNSSEC detects any modification through signatures.
• Email protection: DNSSEC secures MX, SPF, DKIM and DMARC records, preventing email redirection to pirate servers.
• DANE/TLSA: DNSSEC is required for DANE (DNS-Based Authentication of Named Entities), which allows publishing expected TLS certificates in DNS.

Enable DNSSEC on Your Domain

The process differs by DNS host, but principles remain the same:

1. Enable DNSSEC at your DNS provider: Most managed DNS providers (Cloudflare, Route 53, Google Cloud DNS) offer one-click DNSSEC activation. Keys are generated and managed automatically.
2. Retrieve the DS record: Your DNS provider will give you the DS record to configure. It contains the key tag, algorithm and digest of your KSK.
3. Configure DS at the registrar: In your registrar's interface, add the DS record. This establishes the chain of trust with the parent zone (the TLD).
4. Verify and monitor: Use tools like DNSViz or Verisign DNSSEC Debugger to verify the chain of trust is complete. Monitor continuously.

DNSSEC Examples and Verification

Here's how to verify and diagnose DNSSEC:

# Check if a domain is DNSSEC signed
$ dig example.com +dnssec +short
93.184.216.34
A 13 2 3600 20240215000000 20240201000000 12345 example.com. ...signature...

# Show DNSKEY records
$ dig DNSKEY example.com +short
256 3 13 ...ZSK public key...
257 3 13 ...KSK public key...
# 256 = ZSK, 257 = KSK

# Show DS record (from parent zone)
$ dig DS example.com +short
12345 13 2 49FD46E6C4B45C55D4AC...

# Full verification with delv (BIND)
$ delv @8.8.8.8 example.com +rtrace
; fully validated
example.com.    3600 IN A 93.184.216.34

# DS format for registrar
Key Tag: 12345
Algorithm: 13 (ECDSAP256SHA256)
Digest Type: 2 (SHA-256)
Digest: 49FD46E6C4B45C55D4AC...

# Online validation tools
# - https://dnsviz.net/
# - https://dnssec-debugger.verisignlabs.com/

The presence of RRSIG with records indicates the domain is signed. The AD (Authenticated Data) flag in the response confirms validation succeeded. If SERVFAIL is returned, there's a problem in the chain of trust.

DNSSEC Best Practices

Manage DNSSEC properly to avoid problems:

• Use a managed provider: Modern DNS providers automatically manage key rotations, signatures and expirations. Avoid managing DNSSEC manually if possible.
• Monitor expirations: RRSIG signatures have an expiration date. If your zone isn't re-signed regularly, signatures will expire and the domain becomes unreachable.
• Rollback plan: If DNSSEC causes problems, you need to be able to disable it quickly. Keep procedures documented and tested.
• Test before and after: Before enabling DNSSEC, verify your zone is valid. After activation, validate the chain of trust with multiple tools.

FAQ - DNSSEC

Secure Your DNS Infrastructure

DNSSEC adds an essential security layer to DNS. In a world where DNS attacks are increasingly sophisticated, cryptographic signing of your records becomes a necessity for critical domains.

Start with a managed DNS provider that simplifies DNSSEC management, configure DS at your registrar, and actively monitor. MoniTao can alert you of any DNSSEC problem before your users are impacted.

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing