How DNSSEC provides a baseline of Internet security

Domain Name System Security Extensions allow the use of digital signatures to ensure the integrity of DNS queries

The Domain Name System connects written domains used by people with the numerical IP addresses used by computers to direct Internet traffic. DNSSEC was designed to protect the system from attacks such as cache poisoning by adding a set of extensions to the DNS protocol — the DNS Security Extensions — that allow the use of digital signatures to ensure that responses to DNS queries have not been spoofed or otherwise tampered with.

DNSSEC authenticates the origin of the response and integrity of the data and can verify if a requested address does not exist. It does not encrypt or protect the response.


Related stories:

DNSSEC's early adopters provide test beds for others
Can .gov trust .com?


Records in DNS name servers are digitally signed using public-key cryptography. When a security-aware application requests a record, the response will contain a Resource Record Signature and the DNS Public Key that can be used to authenticate the signature. A DNS resolver can use that information to validate the signature and authenticate the response using the public key. The resolver also can determine if the queried domain is not using DNSSEC or whether an error occurred.

To adequately authenticate a response, a digital signature must be authenticated through a public key from the domain’s authoritative name server. That can require a trusted chain of keys, which starts by verifying the signature from a subdomain where the local record was signed and then referring to the key for the parent domain or zone and eventually for the authoritative root zone.

Until all the links in this chain have been completed through the use of DNSSEC signatures and keys, users will be limited to assurances only from within the islands of trust formed by the completed sections of the chain. That is why the establishment of a trust anchor that contains public keys for the Internet’s root zone is important to the adoption of DNSSEC. The trust anchor does not ensure that every trust chain will be complete, but it will ensure that the chains can be completed after all the domains and subdomains under the root have been signed.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Mon, Jun 7, 2010 Jeffrey A. Williams Frisco Texas

These "Trust Anchors" are nothing more than a group of look aside servers containing the relevant signatures/keys. As such the 'Trust' level to a degree depends souly on these servers being maintained adaquately on a 24/7/365 basis are BTW are privately owned and managed. That's a obvious problem IMO.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above