What is DNSSEC?

DNSSEC which stands for DNS Security Extension is basically a suite of specifications designed by the IETF (Internet Engineering Task Force) for the security of the DNS (Domain Name System) information provided using the IP (Internet Protocol) networks.

DNSSEC provides the DNS clients with the assurance that the DNS data in response to their DNS Query is accurate and assures integrity. DNSSEC also prevents the DOS (Denial of Service) that might result because of authenticated DNS.

DNSSEC prevents DNS Cache poisoning attacks which were quite prevalent since late 2008. In DNS cache poisoning, the DNS replies are forged with false information regarding the location of a particular website.

So effectively if the IP address of website A was Z.Z.Z.Z, DNS Cache poisoning would fool the system into believing that the IP address is not Z but X.X.X.X. So the system would inadvertently diver the user who wants to visit website A to X.X.X.X rather than Z.Z.Z.Z.

The functioning of DNSSEC is based on digital certificates and the DNS responses are all marked with a digital signature. The response is verified and if the signature is invalid and not in accordance with the information on the authoritative DNS, the response is not taken into account and this prevents cache poisoning through unsolicited DNS responses. As of now DNSSEC provides integrity but doesn’t provide confidentiality.

DNSSEC is based on the RFC 4033 “DNS Security Introduction and Requirements”. DNSSEC works by using the public key cryptography and digital signing of records. The base of the digital signing is the chain of trust that is used in DNSSEC.

The DNS root servers are at the peak of this chain of trust and the chain builds up from there based on the different authoritative DNS servers for the top-level domains, and so on.

The cryptographic protocols that are used in DNSSEC include MD5, SHA-1, SHA-256, SHA-512, DSA, and RSA.