What is DNSSEC (DNS security extensions)?

In simple terms, DNSSEC helps ensure that users are directed to the actual website they are searching for, and not a fake one. While it doesn't keep searches private (transport layer security, or TLS, is a security protocol designed to ensure privacy on the internet) it does help prevent malicious entities from inserting manipulated DNS responses into DNS requests.

DNSSEC (short for Domain Name System security extensions) is used to extend DNS protocol and address vulnerabilities in the DNS that leave the system susceptible to various cyberattacks, such as DNS spoofing, DNS cache poisoning, man-in-the-middle attacks, and other unauthorized modifications to DNS data. DNSSEC deployment helps to fortify the DNS against these potential risks, providing a more secure and reliable infrastructure for the internet. When a DNS resolver queries for information, DNS lookup responses are validated through the verification of digital signatures, confirming the authenticity and integrity of the received data.

As cybersecurity threats continue to evolve, the demand for robust security measures, including DNSSEC, is likely to grow. Organizations like the Internet Corporation for Assigned Names and Numbers (ICANN) actively promote its global adoption, reflecting a growing recognition of its crucial role in DNS security.

To help secure the DNS, DNS security extensions add cryptographic signatures to existing DNS records. These signatures are stored in DNS name servers with other DNS record types, such as A records (which create a direct connection between an IPv4 address and a domain name), AAAA records (which connect domain names to IPv6 addresses), MX records (which direct emails to a domain mail server), and CNAME records (which map aliases to their true, or “canonical,” domain names).

Other related records and terms helpful to understanding how DNSSEC functions include:

DS records are used to establish a secure chain of trust between a parent zone and a child zone. They contain the cryptographic hash of a DNSKEY record.

DNSKEY records (also known as DNSSEC keys) store public keys that are associated with a particular DNS zone. These keys are used for verifying digital signatures and ensuring the authenticity and integrity of DNS data within that zone.

RRSIG records contain a cryptographic signature that is associated with a set of DNS resource records.

This is a collection of all resource records of a specific type associated with a particular name in the DNS. For example, if you have two IP addresses that are associated with "example.com," the A records for these addresses would be bundled together to form an RRset.

This is a record that lists the record types that exist for a domain and is used to indicate the authenticated denial of existence of a specific domain name. It works by returning the “next secure” record. For example, if a recursive resolver queries a name server for a record that doesn’t exist, the name server returns another record—the “next secure record” defined on the server—indicating that the requested record does not exist.

This is an enhancement to NSEC. It improves security by making it more challenging for attackers to predict or guess the names of existing domains in a zone. It works in a similar way to NSEC but uses cryptographically hashed record names to avoid listing out the names in a particular zone.

Zone-signing key pairs (a public key and a private key) are authentication keys that are used to sign and verify an RRset. In DNSSEC, each zone has a ZSK pair. The private key is used to create digital signatures for the RRset. These signatures are stored as RRSIG records in the name server. The associated public key, stored in a DNSKEY record, verifies the signatures, confirming the authenticity of the RRset. However, additional measures are needed to validate the public ZSK. For this, a key-signing key is used.

A key-signing key is another public/private key pair and is used to verify that the public zone signing key is not compromised. 

DNS security extensions provide a cryptographically-secured framework that is designed to enhance the security and trustworthiness of the DNS. At its core, DNSSEC employs a system of public and private key pairs. To enable DNSSEC validation, a zone administrator generates digital signatures (stored as RRSIG records) using the private zone-signing key, and a corresponding public key that is distributed as a DNSKEY record. A key-signing key is used to sign and authenticate the ZSK, providing an additional layer of security.

DNS resolvers, when queried, retrieve the requested RRset and the associated RRSIG record, which contains the private zone-signing key. The resolver then requests the DNSKEY record that holds the public ZSK key. These three assets together validate the response the resolver receives. However, the authenticity of the public ZSK still needs to be verified. This is where the key-signing keys come in.

The key-signing key is used to sign the public ZSK and create an RRSIG for the DNSKEY. The name server publishes a public KSK in a DNSKEY record, as it did for the public ZSK. This creates an RRset containing both DNSKEY records. These are signed by the private KSK, and validated by the public KSK. This authentication validates the public ZSK—the purpose of the KSK—and verifies the authenticity of the requested RRset.

DNSSEC operates on the principle of establishing a "chain of trust" throughout the DNS hierarchy, and the signing of DNS data at each level to create a verifiable path that ensures the integrity and authenticity of the data. Each link in the chain is secured with digital signatures, creating a trust anchor that starts at the root zone servers and extends down through the top-level domain (TLD) servers to the authoritative DNS servers for individual domains.

Delegation signer (DS) records are used to enable the transfer of trust from a parent to a child zone. When a resolver is referred to a child zone, the parent zone provides a DS record that contains a hash of the parent zone DNSKEY record. This is compared against the hashed public KSK from the child zone. A match indicates the authenticity of the public KSK and lets the resolver know that the records in the subdomain (child zone) can be trusted. This process works from zone to zone, establishing a chain of trust.

DNSSEC and DNS security are related concepts within the realm of internet security, each with a distinct focus and scope. DNSSEC specifically refers to a set of DNS extensions designed to fortify the security of the Domain Name System. Its primary objective is to ensure the integrity and authenticity of DNS records through private and public key cryptography.

DNS security is a broader term that encompasses a comprehensive approach to securing the entire DNS environment. While DNSSEC is a crucial component of DNS security, the scope of DNS security extends beyond the specific protocols of DNSSEC. DNS security addresses a wide range of threats including distributed denial of service or (DDoS) attacks and domain theft, providing a holistic strategy to protect against malicious activities that might compromise the DNS infrastructure.