Introduction to DNSSEC

What is DNSSEC?

DNSSEC (Domain Name System Security Extensions) is a set of DNS protocol extensions providing creditability and integrity of responses received from the Internet. In other words, DNSSEC prevents from modifications of responses obtained from the Internet and ensures that they come from a proper source, thus a user may be certain that data that he/she receives is authentic, e.g. the user has not been redirected to a pretending false website.

What are the benefits of DNSSEC?

It is worthwhile to note that the DNS protocol has been designed so as it provides a quick and easy way for the Internet user to be granted a connection with a desired resource. When the concept has been designed, no one could predict such rapid popularization of Internet, multitude of services provided through DNS and threats related therewith. Information sent this way are not confidential or secured against forgery or modification. Potentially, data may be falsified or changed in many areas of the web. When loaded to a DNS servers cache, those data remain available for other users.

DNS is currently a mechanism most often used by other Internet protocols/services (for ex: www, http). Until now the main concern was the security of services, e.g.: securing access to bank services, ciphering electronic mail while omitting to secure internet domain names, which are fundamental for those services. This, in turn, exposes the users to unconsciously reveal important data (identity, passwords) on false (“phished”) Internet websites created on authentic domain names and lose control of, e.g.: bank accounts, electronic mail or a profile on a community portal. With the weak points of the DNS protocol being identified, it was upgraded with a mechanism allowing to verify the authenticity of received responses, i.e. DNSSEC.

DNSSEC increases the safety of using DNS, therefore the Internet user is able to determine whether the information that they received through DNS is true, and consequently, if a visited website is in fact the website of a bank, shop, office, electronic court, public registry, etc. or a false website appearing misleadingly (phishing).

DNSSEC is a perfect tool for web-based institutions caring for the safety of their clients and services provided.

Guides

NASK’s publications on DNSSEC