DNSSEC basics

DNSSEC (short for DNS Security Extensions) adds security to the Domain Name System.

The original design of the Domain Name System (DNS) did not include security; instead it was designed to be a scalable distributed system. The Domain Name System Security Extensions (DNSSEC) attempts to add security, while maintaining backwards compatibility.

DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. It is a set of extensions to DNS, which provide to DNS clients (resolvers):

1. Origin authentication of DNS data

2. Data integrity (but not availability or confidentiality)

3. Authenticated denial of existence.

All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect other information such as general-purpose cryptographic certificates stored in CERT records in the DNS.

Having been through difficulties in development over the years, the DNSSEC protocol has been improved up to the point that it is now widely accepted in its current incarnation. With the signing of the root zone in 2010 and the signing of the .com zone in 2011 the speed of DNSSEC adoption is expected to increase rapidly in the coming years.

Micetro by Men&Mice can be integrated with some of the most commonly used tools to sign DNSSEC zones today. This should enable you to do the most common DNS management tasks in much the same way as before, enhancing your DNS security without overly increasing the complexity.

How to deploy DNSSEC?

Deploying DNSSEC is a two way process. DNSSEC must be deployed at both the authoritative side (DNS servers) and the client side (resolvers, browsers, applications). At the client side the ultimate security will be achieved if the DNSSEC validation is done by the end-user applications rather than by external resolvers at the ISP, for example. Browsers, such as Chrome and Firefox, are soon to have natively built-in DNSSEC validators.

Deploying DNSSEC at the authoritative side is a bit more cumbersome, at least initially. Since the signing of the DNS zones is far from straightforward, there is much need for tools that assist with the zone signing procedure. Taking into account that a zone needs to be resigned every time its content changes and when the signing keys expire, the tool should also be as automated as possible. Fortunately, there are a number of options for those wanting to sign and maintain their zones.

OpenDNSSEC is a standalone DNS zone signer that should work with any type of DNS server as long as the zones are file based.

Secure64 is a complete DNS and DNSSEC appliance with an emphasis on security and automation.

BIND version 9.7 and newer can be configured so that the zone signing is mostly automatic, even for dynamic zones. Micetro by Men&Mice can be integrated with any of these tools. This will make the transition to DNSSEC as seamless as possible. After configuring the DNSSEC signing tool of choice for the first time, the user can do most of the DNS management in much the same way as before, such as adding/removing records and zones. This way, your organization can enjoy the security benefits of DNSSEC without adding much complexity to the DNS management.

How does DNSSEC work?

Essentially, DNSSEC works by digitally signing the DNS records at the authoritative DNS server with public-key cryptography. A number of new resource records have been introduced for this purpose:

* Resource Record Signature (RRSIG)

* DNS Public Key (DNSKEY)

* Delegation Signer (DS)

* Next Secure (NSEC / NSEC3)

It also adds two new DNS header flags:

* Checking Disabled (CD)

* Authenticated Data (AD)

When DNSSEC is used, each answer to a DNS lookup will contain an RRSIG DNS record, in addition to the record types that were requested. The RRSIG record is a digital signature of the answer DNS resource record set. The digital signature can be verified by locating the correct public key found in a DNSKEY record.

From the results, a security-aware DNS resolver can then determine if the answer it received was correct (secure), whether the authoritative name server for the domain being queried doesn’t support DNSSEC (insecure), or if there is some sort of error. The correct DNSKEY record is found via an Authentication Chain, starting with a known good public key for a Trust Anchor, preferably at the DNS root. This public key can then be used to verify a delegation signer (DS) record. A DS record in a parent domain (DNS zone) can then be used to verify a DNSKEY record in a subdomain, which can then contain other DS records to verify further subdomains.

DNSSEC services protect against most of the threats to the Domain Name System. There are several distinct classes of threats to the Domain Name System, most of which are DNS-related instances of more general problems, but a few of which are specific to peculiarities of the DNS protocol.

Note that DNSSEC does not provide confidentiality of data. Also, DNSSEC does not protect against DDoS Attacks.

What are some benefits of DNSSEC?

Securing the domain name system is integral to the security of the Internet infrastructure in whole. When properly maintained, DNSSEC signed zones provide extra security by preventing man-in-the-middle attacks. Any customer with DNSSEC-aware resolver will not be at risk from DNS spoofing. Customers that are not DNSSEC aware will not see any adverse effect. While they won’t get the protection, they’ll continue to access your domain name just as they always have. The more domain names that are using DNSSEC, the more websites and email addresses will be protected on the Internet.