What is DNSSEC?
DNSSEC stands for Domain Name System Security Extensions. DNSSEC is the secure version of DNS. It is based on electronic signatures and prevents compromise of DNS requests. It assures users (machines, software) of the legitimacy of the source of DNS information.
DNS service is similar to a phone book directory. Every communication on the Internet begins with it. Through it, the machines know the IP address of their interlocutor before transmitting the data. In short, the DNS system matches a domain name (a host) to an IP address. Despite the importance of DNS, the majority of DNS requests are not secure, they flow transparently over the network.
How DNSSEC function?
The DNSSEC service secures DNS communications by checking that the authoritative server has the right to provide the response to a request, the reliability of the content of the response from the DNS server, as well asthe integrity of this response.
DNSSEC relies on digital signatures. Precisely on a pair of private key and public key. The former, as its name suggests, will be kept at the DNS server level. It will be used to encrypt DNS records. The public key, on the other hand is used to decrypt the information encrypted by the private key. Registered in the DNS zone like other DNS records, it validates a given signature with the private code. Therefore, by checking the correspondence between the two keys, we can determine if a response does indeed come from a legitimate server. DNSSEC is based on a chain of trust that follows the same path as a DNS resolution. Therefore, three conditions must be met in order to be able to sign your domain with DNSSEC.
- The superior domain to your domain name must be signed. This is particularly the case with .com, .org, .net and several geographic domains.
- The registrar responsible for your domain name must support DNSSEC.
- The DNS manager of the domain name must also support the DNSSEC protocol.
Why do you need to secure your domain name ?
Despite the importance of DNS service, many neglect its security and even ignore potential cyber attacks. These include DNS cache poisoning, DDOS attacks, packet interception. Let’s develop cache poisoning to a better understanding of the security risk involved. Through cache poisoning, the hacker tricks a DNS server into believing that he has received a valid response to a request he made. Thus, it provides an incorrect IP address redirecting to a phishing site for instance. If this DNS server stores this information, anyone who uses it will be automatically redirected to this phishing site.
Therefore, protecting your domain name with DNSSEC is proving to be vital for companies and their brand. Usually, sites require you to enter personal information. This is the case, for example, with e-commerce sites. An attack like the one described above would be disastrous for the target company. In fact, it will damage the trust of visitors and tarnish the image of the brand. The risk is really not worth the effort. For the security of your domain name, we recommend you to register your domain name with a web host that supports the DNSSEC protocol.