Skip to content

What is DNSSEC?

DNSSEC, or the Domain Name System Security Extensions suite, is used to strengthen DNS protocol security, because the DNS protocol is by design not secure. In particular, it doesnโ€™t check for credentials before accepting an answer. But what is DNSSEC? How does DNSSEC work? In this DNSSEC guide we explain what it is, why itโ€™s important for network security, how it works, and the benefits it brings.

What is DNSSEC – a Quick Overview

DNSSEC enhances DNS security by adding a layer of trust through authentication using digital signatures based on public key cryptography. Rather than signing the DNS queries and responses, with DNSSEC the DNS data itself is signed by the owner of the data. 

Each DNS zone is assigned a public/private key pair. The private key, kept secret by the zone owner, is used to sign the DNS data within the zone, producing digital signatures. The corresponding public key is published within the zone and can be accessed by anyone. When a recursive resolver queries data from the zone, it also retrieves the public key and uses it to verify the signature on the DNS data. If the signature is valid, the resolver confirms the data is authentic and returns it to the user. If the signature check fails, the resolver treats the data as potentially compromised, discards it, and returns an error to the user.

In a nutshell, a server offering DNSSEC for its zones and records allows:

  1. verification of the integrity of each record
  2. validation that the record originates from the authoritative DNS server for the record (authenticity)
  3. validation that the DNS server is trusted by upper domain in the DNS hierarchy (chain of trust)


Why is DNSSEC Important for Network Security?

DNSSEC is generally considered to be part of the best practices for DNS Security. It comes on top of the standard recursion process used during resolution. It uses the opposite path, from the record up to the root zone during the validation process, as shown on the diagram further down.

DNSSEC helps prevent DNS attacks like DNS cache poisoning, DNS spoofing, and DNS tunneling. DNSSEC does not protect the entire server, it only protects the data exchanged between signed zones. As a reminder, DNSSEC does not provide privacy.

By providing origin authentication, DNSSEC protects the DNS information exchanged between name servers configured with DNSSEC. DNSSEC ensures data protection from one signed zone to the other, whether the answer to the request is successful or not.

How Does DNSSEC Work?

DNSSEC is based on public key cryptography, certificates and digital signatures. DNSSEC secures the Domain Name System by attaching digital signatures to standard DNS records. These cryptographic signatures are kept on DNS name servers together with conventional record types like A, AAAA, MX, and CNAME. By verifying a recordโ€™s corresponding signature, you can ensure it originated from its authoritative name server and hasnโ€™t been tampered with in transit – thus protecting against forged records from man-in-the-middle attacks.

To enable signature verification, DNSSEC introduces several new DNS record types:

  • RRSIG โ€“ Holds the cryptographic signature
  • DNSKEY โ€“ Stores the public signing key
  • DS โ€“ Contains a hash of a DNSKEY record

The global picture of components and records is presented in the following diagram:

Diagram of Chain of Trust

The process of certification is mainly based on digital signature. Each record is supplemented by its signed hash version which can be used by the client or the recursive DNS server to verify the record. Public keys are published in records to allow the requester to validate signatures using the principle of digital signature: private key used to produce a signature that can be validated using the public key.

How Does DNSSEC Control the Integrity of DNS Records?

DNSSEC controls the integrity of records gathered in DNS answers. Once receiving a DNS answer from a request on a record, the client can validate the integrity of this record. It is possible to validate the integrity of records provided from a cache or from an authoritative answer.

Integrity control is based on cryptography using signatures: a hash of the record signed with the private key can be verified with the public key, the record and the signature. The signature is applied to a hash of the record, allowing signature on any kind of record of any length.

Each DNS zone has a key set (public and private parts – the ZSK) that is used to sign the records contained within the zone. The private part of the key is kept secured by the zone owner. The public part is published as a record (DNSKEY ZSK – id 256).

For each record of the zone, a specific record signature is also published in the zone – the RRSIG record. This record is published in order for the client to validate the integrity of the answer content. The content of the RRSIG record is a signature of the record hash.

Diagram Validation Rrset

The verification process guarantees that the record has been signed with the ZSK in the zone:

  1. Get the A record using DNS query, calculate the hash
  2. Get the public key of the Zone Signing Key using DNS query (DNSKEY ZSK)
  3. Get the signature of the record using DNS query (RRSIG A)
  4. Verify the signature using the public key, the hash and the signature


How Does DNSSEC Ensure Authenticity of DNS Records?

DNSSEC ensures that client queries are answered by the proper zone. In order to be sure the key used to sign the record is valid and associated with the legitimate zone, we use the following verification process:

  1. Get the public Key Signing Key of the zone using DNS query (DNSKEY KSK)
  2. Get the signature of the Zone Signing Key public key record using DNS (RRSIG DNSKEY ZSK)
  3. Verify the signature of the ZSK with the public key of the KSK
  4. From the KSK public key, build the hash that creates the DS record
  5. Get the DS record from the upper zone using DNS
  6. Compare DS contained in upper zone and hash, should be the same
Diagram of Zsk Validation


What is the Chain of Trust for DNSSEC?

In order to ascertain the DNS record signature is fully valid, we can reiterate the validation through the DS record up to the DNS root servers. Since all domains are linked together in the DNS hierarchy, the KSK key of each is reported in the DS record of the upper domain. The root domain cannot be validated through the same principle since the DS key is not stored in another domain. The content of the root anchor keys should be gathered through another channel.

The process where cryptographic keys are used to sign other cryptographic keys is known as a chain of trust. The public key at the start of this chain is referred to as a trust anchor. Resolvers maintain a list of these trust anchors – public keys for specific zones that they inherently trust. Typically, most resolvers are configured with a single trust anchor: the public key for the root zone. By trusting this top-level key, a resolver can establish a chain of trust throughout the DNS hierarchy, provided that each zone along the path is properly signed.

Diagram Zsk Validation


What are the Benefits of Using DNSSEC?

DNSSEC acts as a robust defense against DNS cache poisoning and DNS spoofing, ensuring that the information returned by a DNS resolver truly originates from the authoritative nameserver. Through the use of cryptographic signatures, DNSSEC verifies that DNS responses are genuine and unaltered, preserving the integrity of the data.

Additionally, by authenticating DNS information, DNSSEC helps prevent users from being redirected to malicious websites by cybercriminals, reducing the risk of traffic manipulation via DNS queries. Although it doesnโ€™t protect against all types of cyber threat – such as DDoS attack – DNSSEC significantly improves internet security by confirming the legitimacy of DNS data.

What are the Main Challenges of DNSSEC Implementation?

Implementing DNSSEC involves a meticulous setup process and multiple operational modes, which can increase the complexity of managing and securing DNS servers. After activation, it may take up to 24 hours for the changes to fully propagate and for the security features to become active across the internet.

Nevertheless, these challenges do not outweigh the value of DNSSEC. Despite its complexity, the significant security benefits it provides make DNSSEC a valuable investment for organizations focused on strengthening their online defenses.

Does EfficientIP Offer DNSSEC Solutions?

EfficientIPโ€™s unique 360ยฐ DNS security technology protects organizations against volumetric, exploit and stealth attacks for both public and private DNS infrastructures. As part of this technology, EfficientIP SOLIDserverโ„ข offers a complete solution to easily deploy and maintain DNSSEC

Key management has been simplified to greatly accelerate rollout of DNSSEC. SOLIDserverโ„ข enables you to manage your DNSSEC deployment from a central point. At the same time, the user-friendly Web interface provides you full control over enforcement of corporate standards. SOLIDserverโ„ข helps you overcome tedious tasks while eliminating complexity and the risk of errors due to command-line operations.

By offering streamlined DNSSEC implementation, EfficientIP simplifies the complex process of adopting DNS Security Extensions,  thus helping organizations achieve cybersecurity regulatory compliance for DORA, GDPR, and NIS2. Key requirements related to zone signing and data integrity can be met effortlessly, ensuring trust and security across the DNS infrastructure.

FAQโ€™s Regarding DNSSEC Solutions?

Is DNSSEC really necessary?

Yes, DNSSEC is essential for verifying the authenticity of DNS records and protecting against DNS hijacking attempts. It plays a crucial role in maintaining the trustworthiness of DNS data.

How does DNSSEC improve internet security?

DNSSEC improves internet security by ensuring the authenticity and integrity of DNS data. It uses cryptographic digital signatures to verify that responses to DNS queries come from a legitimate source and have not been altered in transit. By securing this foundational layer of internet communication, DNSSEC helps maintain trust in domain name resolution and reduces the risk of users being misled or compromised through DNS-based attacks

What types of attacks does DNSSEC defend against?

DNSSEC protects against several types of attacks that exploit vulnerabilities in the DNS system. Most notably, it defends against cache poisoning and man-in-the-middle attacks by using digital signatures to ensure the authenticity and integrity of DNS data. This prevents attackers from redirecting users to malicious websites by spoofing DNS responses.

How does DNSSEC help defend against DNS attacks?

DNSSEC defends against DNS-based attacks by attaching cryptographic signatures to DNS records, allowing resolvers to verify the authenticity and integrity of the data before delivering responses to users. This verification process helps block unauthorized alterations and forged DNS data.

What is DNSSEC chain of trust?

In DNSSEC, the chain of trust refers to a hierarchical structure in which each DNS zone is validated by the zone above it. This structure creates a secure verification path from the root zone all the way down to individual domains, ensuring the legitimacy of DNS information throughout the hierarchy.

What are the main challenges in deploying DNSSEC?

Implementing DNSSEC can be difficult due to potential incompatibility with existing infrastructure, the complexity of cryptographic key management, and the resource demands of deployment and maintenance. These issues can complicate or delay successful DNSSEC adoption.

How do you check the DNSSEC status of a domain name?

After configuring a domain name for DNSSEC, it is important to perform a DNSSEC check to test it is working as expected. Checking the DNSSEC status of a domain name via a DNSSEC test is fairly quick and easy via a DNSSEC checker tool.

Does DNSSEC help protect IoT systems?

Manipulation of DNS messages can redirect IoT devices to a malicious service, jeopardizing user privacy and safety. DNSSEC helps ensure integrity and authenticity of DNS data in IoT networks: the DNS resolver in IoT systems uses the DNSKEY record to verify the cryptographic signatures in DNS records. This provides protection against DNS spoofing (cache poisoning), man-in-the-middle attacks (MITM), and botnet attacks used for DDoS attacks.