Why should I care about DNSSEC?
“DNS Security Extensions,” commonly known as DNSSEC, provide a way to be sure that you are communicating with the correct website or other service. Before you connect to a website, your browser has to retrieve the IP address of the site using DNS. However, it is possible for an attacker to intercept your DNS queries and provide false information that would cause your browser to connect to a fake website where you could potentially provide personal information (for example, what you think is a bank website). DNSSEC provides a level of additional security where the web browser can check to make sure the DNS information is correct and was not modified. Note, too, that DNSSEC is NOT only for the Web, but also can be used by any other Internet service or protocol. We’re already seeing interesting uses of DNSSEC with email (SMTP), instant messaging and voice-over-IP.
Where can I learn the basics of how DNSSEC works?
To understand the basics of how DNSSEC works, you may find these videos useful:
- Video showing how DNS works, how it can be attacked and how DNSSEC can help
- Video explaining DNSSEC from Comcast
- For those seeking more technical information, the NIST Secure DNS Deployment Guidelines provide a tutorial in the beginning before getting into deeper technical information. The DNSSEC HOWTO from NLNet Labs is also an excellent reference document.
As a user, what do I need to do to get the additional protection provided by DNSSEC?
Ideally, your local DNS resolver will perform “DNSSEC validation” and just automatically block sites that fail because of incorrect DNSSEC signatures. This DNS resolver might be at your ISP or might be on your local network. You can learn more about setting up validating name resolvers in this report from SURFnet:
If you do not have access to a DNSSEC-validating DNS resolver on your local network or from your ISP, an alternative can be to install a validating DNS resolver on your local desktop or laptop computer. One excellent way to do this is:
Finally, if you don’t have access to any kind of DNSSEC-validating resolvers, another step you can take is to add support for DNSSEC directly into a web browser such as Google Chrome or Mozilla Firefox:
Eventually, we certainly hope that DNSSEC-validation will be built into operating systems and will be a standard piece of network infrastructure, but until that time these are steps you can take.
How do I set up DNSSEC for my domain name?
Signing your domain with DNSSEC involves two components:
- The registrar of your domain name needs to be able to accept what are called “Delegation Signor (DS)” records and be able to send those up to the Top-Level-Domain (TLD) for your domain (ex. .com, .org, .net).
- The DNS hosting provider who operates the DNS name servers for your domain must support DNSSEC and be able to sign (and re-sign) your DNS zone files.
Now, sometimes both of these components might be part of one service offered by a registrar. In other words, you might not even realize they are different – your registrar may perform both roles for you. Other times, the DNS records for your domain might be hosted at another provider – or you might host them yourself on your own DNS servers.
We suggest you start with this resource page:
Are there tools I can use to test my DNSSEC implementation?
Our DNSSEC Tools page lists a wide number of tools, including:
Where can I get more technical information to dive into the details?
- The DNSSEC HOWTO goes into a great amount of detail.
- The NIST Secure DNS Deployment Guide explains in great detail how DNS works, the threats to DNS and how those threats can be addressed using DNSSEC and other technologies.
- The actual specification is available in the RFCs related to DNSSEC.
- The Wikipedia entry for DNSSEC also contains many links to additional information.
Do you know of additional resources we should consider adding here? Or are there additional “basic” questions you feel we should answer here? If so, please send them to us.