Accredited ICANN Registrar: NamesBeyond.com

DNSSEC-Home DNSSEC-About DNSSEC-FAQ Forum DNSSEC-Contacts

What is DNSSEC?

DNSSEC is a short form for DNS Security Extensions. DNSSEC is a long-awaited and much needed upgrade to the security of the Internet. It is designed to add security by protecting you from certain attacks that you cannot see or control (called “cache poisoning” or the “Kaminsky bug”). In these attacks, you may click on a link but your computer will automatically take you to an unknown location without any control by you.
The DNSSEC upgrade is added without any disruption to customers and Internet users. DNSSEC upgrades the basic Domain Name System (DNS), which locates and translates all web site addresses into a set of numbers (IP addresses) that computers use to find each other online.

Why do I need DNSSEC to protect my web sites?

The Domain Name System (DNS) as you know it today works on a concept of “implied trust”. This means that when you click on a website link, your computer will take you to whatever first reply it receives, and does not check whether it is getting reliable information on where to go on the Internet. This insecure system is used not only by your local computer, but by all servers and by all Internet Service Providers (ISPs) on the Internet. This creates a giant security hole in the Internet.
Imagine if you or your organization became the victim of the Kaminsky bug? This would result in any of your customers who click on a web link to reach your website automatically being redirected to some other location where their information may be stolen, compromised or used for criminal and other malicious purposes. Adding DNSSEC to your domain name can help reduce the chances of traffic hijacking.
There is only one technology that guarantees that once users click on a link to your website, they will definitely be transported to your location and not some other place – DNSSEC. When properly maintained, DNSSEC zones provide extra security by preventing man-in-the-middle attacks and hijacking of traffic. Any customer with DNSSEC-aware resolvers will not be at risk from DNS spoofing.

How does DNSSEC protect my web address?

Simply put, DNSSEC adds a signature to each and every DNS query and response on the Internet. When you sign your website (domain name) with DNSSEC, each piece of your domain name’s DNS information adds a digital signature. When your customer types in your website address, or clicks on a link, their computer will only trust answers that have this signature attached to it. If the signature does not match, the computer discards the response and waits for a validated reply with the correct signature.
Technically speaking, DNSSEC ensures that the answer you receive came from a trusted name server. When a registrant registers a domain name on the Internet, they will also be able to have the domain name secured via DNSSEC. By sending in additional information to their registrar, registrants can “sign” a domain name. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server

Is this really a security problem for my website?

Here are publicly reported attacks arising from DNS spoofing or DNS cache-poisoning. You decide.

Twenty most critical Internet security vulnerabilities, SANS Institute (November 2005)

Black Hat report: 10% of all DNS servers are vulnerable (August 2005).

Multiplatform ISP server attack. Affected, among others:

CitiCards.com
AmericanExpress.com
FedEx.com
DHL-USA.com
Sabre.com

Brazilian bank users lose passwords in DNS spoofing (April 2009).

With such a big web security hole, why is DNSSEC not used everywhere already?

The reason for the delay in DNSSEC deployment has to do with education, speed, and cost. First, not enough people were convinced DNSSEC was even necessary. The problem of the giant security hole was only made understandable recently by Internet security researcher Dan Kaminsky, who publicized just how huge the problem to the Internet was.
Second, the cryptography of signing DNS records requires more bandwidth, because DNSSEC records are quite large compared to other DNS records. For infrastructure providers, such as the top level registries and large ISPs, DNSSEC deployment is a huge undertaking.
Finally, there's also a “demand” problem with DNSSEC deployment. Many people are not aware of the DNS, let alone this specific problem.

Can I add DNSSEC for all my domains and web addresses?

So far, only .ORG has allowed their domain names to be DNSSEC signed. We are coordinating with many other registries, and they are all planning to implement DNSSEC soon. This includes domain names from the leading generic top level domains such as .COM, .NET, .INFO, .BIZ, from specialized sponsored domains such as .AERO and also country code domain names such as .IN (India), .SC (Seychelles), .MN (Mongolia), .UK (United Kingdom) and .DE (Germany).

Is my email also protected when I add DNSSEC for my domains and websites?

Because DNSSEC protects your domains and websites at the DNS network layer, your emails are also protected from DNS spoofing and DNS hijacking.

I already use SSL for my website, do I still need DNSSEC?

Yes! SSL only encrypts transactions and communication from the customer to your website. But the DNS underneath can still get hijacked. Only adding DNSSEC to your domains can ensure that your customers don’t get their DNS spoofed once they click to come to your website.

How can I add DNSSEC for my domains, websites and email?

Just log into your Management Panel and click on the Graphical Navigation menu on the right hand side to add DNSSEC to your domain names.
Of course, you can always call us for more assistance.

How much does it cost to add DNSSEC for my domains, websites and email?

We charge a nominal fee per year for each domain name that is DNSSEC signed. Please contact us for more details on the cost to add DNSSEC for your domains.

Technical Information and Documentation

What is a DNS resolver?

A DNS resolver is the program on a user’s computer that sends the query to the DNS. Once a response is received, the resolver returns the response back to the end user’s application.

Where can I find the technical specifications regarding DNSSEC?

RFC 4310: Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)
RFC 4033: DNS Security Introduction and Requirements
RFC 4034: Resource Records for the DNS Security Extensions
RFC 4035: Protocol Modifications for the DNS Security Extensions
RFC 4641: DNSSEC Operational Practices
RFC 5155: NSEC3 – an alternative resource record which provides additional measures against zone enumeration and permits gradual expansion of delegation-centric zones.
RFC 5910: DNSSEC enhancements for registry EPP protocol.

What exactly does DNSSEC do?

DNS Security Extensions (DNSSEC) to each zone provide:

Origin Authentication of DNS Data

Data Integrity

Authenticated Denial of Existence

By using cryptographic electronic signatures signed with a trusted digital certificate, DNS resolvers all over the Internet can determine the authenticity of data, thereby eliminating DNS spoofing.

What is a key?

A key pair contains two digital keys — a private key (held only by the registry) and a public key (distributed to the public). The registry uses the private / public key pair to sign the zone. End users' validators (or the validators at their ISPs) use the registry public key, and their private key, to decrypt and validate the signature once they've asked for it.

What is a key rollover?

A key rollover occurs when the registry needs to change its side of a key pair. This will mean that the registry zone will need to be re-signed and that the public will need to update their validating resolvers with the new public portion of the registry zone key.

What would happen if people did not update their validating resolvers with the new registry zone key?

Once the old key is purged, domains in the registry zone that were signed would no longer resolve for those people who did not use the new registry key. It would not affect people that are not using DNSSEC – they would continue to see the domain name.

Since this could cause resolution problems, why would a registry ever do a key rollover?

There are two reasons for a registry to do a key rollover. The first reason would be if one of the registry private keys were compromised (i.e., stolen) and had to be immediately revoked. The second is for prevention of compromise (see next question for further information), where a key rollover would be scheduled at regular intervals.

How does a scheduled rollover help prevent key compromise?

DNSSEC uses several mathematical formulas (cryptography) to "sign" a zone. These signatures are not secure all of the time. They are subject to cryptanalysis. It is therefore possible for an attacker to learn the private key in a key pair even though that key has never been disclosed, either through "brute force" or other types of attacks. Every attack requires time to complete. Periodically changing the key decreases the length of time an attacker has to attempt the compromise.

How will people be made aware of a key rollover?

It will be announced on the Registry’s Web site, and also on our own web site.

More Information

Where can I go to learn more about DNSSEC?

VIDEO:

DNSSEC For Registrars(WebEx Viewer) Source: PIR

DOCUMENTS:

DNSSEC overview Source: Afilias (PDF Document, 74 KB)
DNSSEC DATA SHEET Source: PIR (PDF Document, 189 KB)
Securing a domain: SSL vs. DNSSEC Source: Afilias (PDF Document, 88 KB)
DNSSEC Impact on Broadband Routers and Firewalls Source: Nominet (PDF Document, 320 KB)
DNSSEC Checklist for Internet Service Providers Source: PIR (PDF Document)

PRESENTATIONS & BLOG POSTS:

DNSSEC Registrar Experience Source: NamesBeyond, ICANN (PDF Document, 557 KB)
DNSSEC Implementation Source: Ram Mohan, ICANN (PDF Document, 557 KB)
You Don't Need to Hack Twitter.com to Control All Its Traffic and Email Source: CircleID
Lessons From DNSSEC Implementation Source: CircleID
Government Computing DNSSEC Workshop Source: Afilias

WEB SITES:

dnssec.net: It contains references to all major DNSSEC projects, presentations, research work, DNSSEC enabled software, and IETF reference material.
dnssec-deployment Working Group: The DNSSEC Deployment Working Group is a group of experts active in the development or deployment of DNSSEC.
dnssec-tools Project: The goal of the DNSSEC-Tools project is to create a set of software tools, patches, applications, wrappers, extensions, and plugins that will help ease the deployment of DNSSEC related technologies.

INDUSTRY GROUPS:

DNSSEC Industry Coalition: The DNSSEC Industry Coalition is a global group of registries and industry experts whose mission is to work collaboratively to facilitate adoption of Domain Name Security Extensions (DNSSEC) and streamline the implementations across Domain Name Registries. NamesBeyond is a member.