Yandex

What is DNSSEC?

Print
  • dns, dnssec
  • 1

DNSSEC (Domain Name System Security Extensions) is a set of extensions to the DNS system that add a way to verify the authenticity of published DNS information for a given domain.

When we open a website in our browser, before its content is loaded, the DNS resolver performs a DNS pointer check to find the IP address of the given domain. During the DNS check, it is possible for a third party to intervene to mislead the DNS resolver and give it wrong DNS information, for example a different IP address for the domain or a fake email domain.

DNSSEC verifies the authenticity of the DNS information for a given domain, but more importantly, indirectly protects the identity behind the domain and the users of the service it provides.

Each DNS zone has a public/private key pair. The owner of a zone uses its private key to sign DNS data in that zone and generate digital signatures for that data. The recursive resolver uses the zone's public key to authenticate DNS data. The resolver authenticates the digital signature of the DNS data it receives. If the authenticity is confirmed, then the DNS data is considered real and returned to the user. If the signature is not authenticated, then the resolver assumes that an attack has occurred, gets rid of the data, and reports the error to the user.

In short, DNSSEC was designed to keep clients safe from spoofed DNS data.

You can read more about trusting DNSSEC keys at icann.org.

Was this answer helpful?

Back
spinner