DNSSEC Basics

Why should I care about DNSSEC?

“DNS Security Extensions,” commonly known as DNSSEC, provide a way to be sure that you are communicating with the correct website or other service. Before you connect to a website, your browser has to retrieve the IP address of the site using DNS. However, it is possible for an attacker to intercept your DNS queries and provide false information that would cause your browser to connect to a fake website where you could potentially provide personal information (for example, what you think is a bank website). DNSSEC provides a level of additional security where the web browser can check to make sure the DNS information is correct and was not modified. Note, too, that DNSSEC is NOT only for the Web, but also can be used by any other Internet service or protocol. We’re already seeing interesting uses of DNSSEC with email (SMTP), instant messaging and voice-over-IP.

Where can I learn the basics of how DNSSEC works?

To understand the basics of how DNSSEC works, you may find these videos useful:

As a user, what do I need to do to get the additional protection provided by DNSSEC?

Ideally, your local DNS resolver will perform “DNSSEC validation” and just automatically block sites that fail because of incorrect DNSSEC signatures.  This DNS resolver might be at your ISP or might be on your local network.  You can learn more about setting up validating name resolvers in this report from SURFnet:

If you do not have access to a DNSSEC-validating DNS resolver on your local network or from your ISP, an alternative can be to install a validating DNS resolver on your local desktop or laptop computer. One excellent way to do this is:

Finally, if you don’t have access to any kind of DNSSEC-validating resolvers, another step you can take is to add support for DNSSEC directly into a web browser such as Google Chrome or Mozilla Firefox:

Eventually, we certainly hope that DNSSEC-validation will be built into operating systems and will be a standard piece of network infrastructure, but until that time these are steps you can take.

How do I set up DNSSEC for my domain name?

Signing your domain with DNSSEC involves two components:

  1. The registrar of your domain name needs to be able to accept what are called “Delegation Signor (DS)” records and be able to send those up to the Top-Level-Domain (TLD) for your domain (ex. .com, .org, .net).
  2. The DNS hosting provider who operates the DNS name servers for your domain must support DNSSEC and be able to sign (and re-sign) your DNS zone files.

Now, sometimes both of these components might be part of one service offered by a registrar. In other words, you might not even realize they are different – your registrar may perform both roles for you.  Other times, the DNS records for your domain might be hosted at another provider – or you might host them yourself on your own DNS servers.

We suggest you start with this resource page:

Are there tools I can use to test my DNSSEC implementation?

Our DNSSEC Tools page lists a wide number of tools, including:

Where can I get more technical information to dive into the details?

Do you know of additional resources we should consider adding here? Or are there additional “basic” questions you feel we should answer here? If so, please send them to us.

December 6th, 2011 by | Posted in | 3 Comments

3 Responses to DNSSEC Basics

  1. chris says:

    the comcast DNSSEC video “does not exist”

    • Dan York says:

      Chris,
      Thanks for the report. I’ll email our contacts at Comcast and see what happened to the video and if they have any plans to replace it.
      Thanks,
      Dan

Leave a Reply

Your email address will not be published. Required fields are marked *