Video: How DNSSEC Works

This silent video created by Shinkuro, Inc., provides a good visualization of how DNS works normally, how an attacker can hijack DNS queries, and how DNSSEC can protect the integrity of DNS information to ensure that the correct information is received.

You can also view the video directly on YouTube.

There is also a second version of the video that does not include the text narration on the right side of the screen. You may find that useful if, for instance, you are showing the demonstration and explaining what is happening.

This video was produced by Shinkuro, Inc., in 2006 and the original source can be found at:

https://www.dnssec-deployment.org/index.php/presentations-events-and-newsletters/video/

We have uploaded it to our YouTube channel with the express consent of Shinkuro, Inc. They informed us that the work was created under a U.S. government contract and the resulting video is free for all to use and share.

If you want to learn more about DNSSEC, you may be also interested in our interview with security researcher Joe Klein. If you are new to DNSSEC, you may want to start with our DNSSEC Basics page.

December 30th, 2011 by | Posted in DNSSEC, Information, Videos | 2 Comments

2 Responses to Video: How DNSSEC Works

  1. Tim Coote says:

    I’m not clear from this explanation who is assuring the authenticity of the secured dns server. Surely the approach is not dependent on the same CA style approach of TLS? When I look at the entities that the pre-loaded/trusted CAs on new computers or browsers trust by default, it looks very frightening.

  2. Dan York says:

    Tim,

    No, DNSSEC does not rely on a CA-style approach.

    The registrant for a domain signs the domain (either themselves or via a DNS operator). As part of the signing a “DS record” is created that is transmitted by the registrar up to the “parent” domain (typically a top-level domain (TLD) like .com, .org, etc.).

    That DS record connects the newly-signed domain to the rest of the “global chain-of-trust”. And so the authenticity can be tracked from the root of DNS all the way down.

    Dan

Leave a Reply

Your email address will not be published. Required fields are marked *