The Domain Name System (DNS) translates domain names such as DuckDuckGo.com to IP addresses. Because of DNS, you don’t have to memorize and enter an IP address every time you want to visit a website. The functioning of the internet as we know it today is dependent on the Domain Name Sister. Because DNS is such an important part of the Internet, it’s also very vulnerable. This is where DNSSEC comes into play.
How does DNS work?
Whenever you enter a website’s domain name that you haven’t visited before in a browser, the browser uses a Resolving Name Server to translate the domain name into an IP address. If the resolving name server doesn’t know the IP address, it will send its own DNS query to an Authoritative Name Server. The Authoritative Name Server will know the IP address and send the answer to your device. The problem here is that the resolver has no way to verify if the answer of the authoritative name server is giving is valid.
What is DNSSEC?
The Domain Name System was designed in the 1980s when the Internet consisted of a few networks. At this time, security was not the main priority in its design. In 1990, engineers started working on a solution. The result was Domain Name System Security Extensions (DNSSEC).
DNSSEC is a set of specifications that extends the DNS protocol. This extension on the DNS protocol makes the usage of domain names a lot safer. The reason for this is that DNSSEC adds a cryptographic authentication for responses received from authoritative DNS servers. This means that the records that a DNS server sends can be verified.
To make this possible, DNS servers are equipped with a system for asymmetrical cryptography, also known as public/private key cryptography. As the name implies, “private keys” are kept private. However, resolvers can look up the data and retrieve the public key. With the public key, it’s possible to check if the sent information is valid and if there aren’t any issues with the provided information. If the signature is not valid, an attack is assumed and the data is discarded. In this case, the user gets an error message.
Trusting DNSSEC public keys
The DNSSEC validation takes place on multiple levels. On the highest level, the root domain, the first key was signed in 2010. This is the starting point for validating DNS and based on the root domain a “chain of trust” between multiple authoritative nameservers is created.
This works as follows: a resolver can ensure that a public key is authentic because the public key is signed by a higher-level “parent zone private key”. For example, the DuckDuckGo.com zone’s public key is signed by the .com zone. The parent zone is responsible for vouching for the authenticity of its “child zone’s” public key. Above this, you have the root zone.
The root zone has no parent to sign it’s key. If a resolver trusts the root zone, it can also trust the public keys of the top-level zones that are signed by the root’s private key, such as the .com zone. Because the public key of the .com zone can be trusted, the keys that have been signed by the private key (such as duckduckgo.com) can also be trusted.
This creates a sequence of cryptographic keys that sign other cryptographic keys: the chain of trust.
What does this mean for you?
The goal of DNSSEC is to defend against techniques that hackers use. It is an extra layer of security to an otherwise unsafe protocol. Because of DNSSEC, attacks such as cache poisoning or “man-in-the-middle” are no longer possible. This ensures that those visiting your domain name see your content and don’t land on someone else’s web server.
Unless you have your own DNS server, your domain name registrar should make sure DNSSEC is active. If you’d like to know if DNSSEC is active on your domain name, you can check this via Internet.nl