Why Does Your Domain Name Need DNSSEC?

Almost every transaction on the internet requires DNS. DNS is the service that enables textual addresses, which are easy for humans to remember, to be matched with IP addresses that enable computers to connect and communicate on the internet. When a user enters a webpage address, their computer sends a query to DNS about the entered domain name, and DNS returns an IP address in response.

DNS is one of the oldest protocols on the internet and was not designed to be secure. If a malicious party is in a position to intercept communication with a DNS server, they can return a response (an incorrect IP address) that will redirect users to a fake internet location. The consequences of such a scenario may be very unpleasant for users.

This is not fiction — it happens daily around the world. Lately, more than half of all cyber attacks have been related to DNS misuse and its use for criminal activities or for censorship of content.

How Is This Possible?

The scenario is the following: A user enters a website address, for example, of a bank or online store, and waits for the DNS system to “translate” the entered address into the corresponding IP address so that the user’s device can connect to the desired internet service.

In that very short period of time, while the user’s device waits for a DNS response, the correct DNS server response may be modified by an attacker. The user sees a webpage that appears identical to the one they intended to visit, but in reality, they are at the wrong address and connected to a computer controlled by the attacker. Everything the user enters — username, password, credit card number, personal data — becomes visible to the attacker and can be abused.

How, then, can we trust DNS at all? Is there a way for the user to determine whether the DNS response is incorrect or valid? The answer is “yes” — DNSSEC.

What Is DNSSEC?

DNSSEC (DNS Security Extension) is a technology that provides mechanisms for protecting against modified DNS responses and redirecting users to internet locations that may be dangerous — in terms of theft of personal data, credit card numbers, confidential business information, or the spreading of false information and news that appear to come from a “trusted” source.

No one wants their website users or email messages to fall into the hands of fraudsters. Therefore, if you are the registrant of a domain name, consider implementing DNSSEC: protect your data and the data of your users, preserve your reputation, and avoid potential financial losses.

Verification of DNS responses is performed using PKI (Public Key Infrastructure), and a DNS server that has DNSSEC signature validation activated accepts only responses that contain the appropriate cryptographic key. Modern cryptographic algorithms provide sufficient assurance that the only valid DNS response originates from the authoritative server for that domain name and that the response cannot be altered en route to the user.

To ensure DNSSEC accomplishes its purpose, two equally important conditions must be met:

• The domain name must be DNSSEC-signed
• Internet users must use DNS servers with DNSSEC validation enabled

DNSSEC Signing of Domain Names

Although the process of signing domain names is still complex, much work has been done in recent years to automate it. Some hosting and DNS providers offer this service as part of their standard offerings, and some RNIDS-accredited registrars have implemented DNSSEC and offer it to their users.

Regardless of whether you perform DNSSEC signing on your own or another DNS server, you must submit DS (Delegation Signer) record information for your DNSSEC key to the RNIDS database through your accredited registrar. RNIDS currently accepts the entry of a DS record with the structure shown in the image.

Through the accredited registrar, the following data is entered into the RNIDS database:

• Key tag (KSK key ID)
• Algorithm (algorithm used for generating the KSK DNSSEC key)
• Digest type (algorithm used to generate the DNSSEC key digest — the DS record)
• Digest (the cryptographic digest of the DNSSEC key)

Whom Should You Contact to Have Your Domain Name DNSSEC-Signed?

DNSSEC signing of a domain name can be performed on your own infrastructure or through a DNS provider offering this service. This can be your accredited registrar, internet or hosting provider, or you can use services from commercial or free DNS providers.

If you do not have your own DNS server, check with your accredited registrar whether they provide DNSSEC signing services for domain names or whether they plan to offer the option soon. Not all accredited registrars can provide DNSSEC signing, but all can forward DNSSEC data you provide to RNIDS.

Find out who provides DNSSEC signing services and sign your domain name. DNSSEC signing does not have to be expensive — in some cases it is even free — and it can help preserve your reputation and ensure your users can safely use your service.

What Must Internet Users Do?

For internet users to have complete protection against DNS response manipulation and the risk of being redirected to sites controlled by cybercriminals, they must use DNS resolvers (company DNS servers, ISP servers, home router DNS servers...) that validate DNSSEC signatures.

Responsible administrators of corporate systems and ISP providers have DNSSEC validation enabled on DNS servers used by their users. Likewise, all major public DNS servers (Google, PCH, Cloudflare, Cisco) validate DNSSEC signatures and do not return an IP address if the signature is invalid. For domain names that are not DNSSEC-signed, resolution is performed without validation, but such domain names carry real risks: users may be redirected to locations controlled by cybercriminals.

DNSSEC is an important element of increasing security on the internet, and whether you are simply an internet user or operate an internet service, you should take advantage of the benefits it offers. As a first step, check whether your DNS resolver validates DNSSEC signatures at res-check.dnssec.rs.