Domain Name System Security Extensions (DNSSEC)
- Snippet from Wikipedia: Domain Name System Security Extensions
The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.
Stands for “Domain Name System Security Extensions.” It is an extension of the standard domain name system (DNS), which translates domain names to IP addresses. DNSSEC improves security by validating the authenticity of the DNS data.
The original domain name system was developed in the 1980s with minimal security. For example, when a host requests an IP address from a name server using a standard DNS query, it assumes the name server is valid. However, a name server can pretend to be another server by spoofing (or faking) its IP address. A fake name server could potentially redirect domain names to the wrong websites.
DNSSEC provides extra security by requiring authentication with a digital signature. Each query and response is “signed” using a public/private key pair. The private key is generated by the host and the public key is generated by a DNS zone, or group of trusted servers. These servers create a chain of trust, in which they validate each other's public keys. Each DNSSEC-enabled name server stores its public key in a hashed “DNSKEY” DNS record.
Enabling DNSSEC While DNSSEC is not required for web servers or mail servers, many web hosts recommend it. To configure DNSSEC, you must use a nameserver that supports it, like PowerDNS or Knot DNS. Then you must enable DNSSEC on your server and configure it within the control panel interface.
If you are using a public nameserver, activating DNSSEC up may be as simple as clicking “Enable DNSSEC.” If you are using a custom name server, you may need to manually create one or more delegation signer (DS) records. After you have enabled DNSSEC, it may take several hours to activate since the server must validate the DS records with other servers within the DNS zone.