Why We Need
DNSSEC
The Domain Name System (DNS) is one of the most critical components of internet infrastructure. Without it, the internet cannot function.
The DNS was not originally designed with security in mind.
The DNS is vulnerable to "man-in-the-middle" (MITM) attacks and cache poisoning. These threats use forged data to redirect internet traffic to fraudulent sites and unintended addresses, which allow cybercriminals to potentially extract credit card data, steal user passwords, eavesdrop on VoIP communications, plant malicious software, or display images and text that defame the legitimate brands and provide misleading information. Given that a single DNS name server can act as the name-to-address resolution point for thousands of users, the potential impact of a MITM attack or cache poisoning could be considerable.
Domain Name System Security Extensions (DNSSEC) protect internet users and applications from forged DNS data by using public key cryptography.
It does this by digitally signing authoritative zone data when it enters the DNS and then validating it at its destination.
Verisign has been involved in DNSSEC development since 2000, and our engineers played a leading role in the development of the NSEC3 protocol. We continue to collaborate with the internet technical community as DNSSEC implementation and adoption move forward.
How DNSSEC Works to Provide the Protocol for a Secure Internet
The Internet Engineering Task Force (IETF) has been working for many years to provide standards for DNSSEC, which protects internet users and applications from forged domain name system data by using public key cryptography to digitally sign authoritative zone data when it enters the DNS and then validate it at its destination.
A digital signature helps assure users that the data originated from the stated source and that it was not modified in transit, an essential element of maintaining trust in the internet.
In DNSSEC, each zone has at least one public/private key pair. The zone's public key is published using DNS, while the zone's private key is kept safe and ideally stored offline. A zone's private key signs individual DNS data records in that zone, creating digital signatures that are also published with DNS.
DNSSEC uses a rigid trust model and this chain-of-trust flows from parent zone to child zone. The chain-of-trust is established when higher-level (parent) zones sign the public keys of lower-level (child) zones. The authoritative name servers for these various zones may be managed by registrars, internet service providers (ISPs), web hosting companies, or registrants themselves.
DNSSEC Process
When an end-user wants to access a website (or any internet resource) the user's computer requests the website's IP address from a recursive name server. When a recursive name server requests the address record, it also requests the DNSSEC signature for that record and the public key associated with the zone. The key and the signature allow the recursive name server to verify that the IP address record it receives is identical to the record on the authoritative name server.
If the recursive name server determines that the address record has been sent by the authoritative name server and has not been altered in transit, it resolves the domain name (provides the requested IP address) and the user can access the site. This integrity-checking process is called “validation.”
If the address record has been modified, the recursive name server does not resolve the domain name to an address, which prevents the user from reaching the fraudulent site. DNSSEC can also establish that a domain name does not exist.
As a result of this process, DNS queries and responses are protected from MITM attacks and the types of forgeries that could redirect internet users to phishing and pharming sites.