The nuts and bolts of DNSsec

The Domain Name System helps make a ubiquitous, global Internet practical by providing an infrastructure for mapping labels such as URLs and e-mail addresses to numerical IP addresses. Understandable addresses that can be remembered and convey information about the addressee, such as, provide a friendly user interface for the Internet.

The original DNS specifications were finalized by 1983 in Internet Engineering Task Force RFC 882 and RFC 883. These have since been revised and replaced. Four Berkeley students created the first Unix implementation of DNS in 1984, which became the Berkeley Internet Name Domain (BIND) in 1985. This has become one of the most widely deployed name servers.

The DNS Security Extensions (DNSsec) are a response to vulnerabilities in DNS that make it possible for hackers to provide false information to a request, thus misinforming and misdirecting a client. The initial specification was published in 1997 and was replaced in 1999 with IETF RFC 2535. Further refinements have since been added.

With DNSsec, answers to requests are digitally signed to protect clients from forged DNS data. It provides:
  • Origin authentication of DNS data.
  • Data integrity.
  • Authenticated denial of existence for an address that cannot be found.

Although digitally signed responses can be authenticated, they are not encrypted, and DNSsec does not provide confidentiality for the data.

About the Author

William Jackson is a Maryland-based freelance writer.


  • 2020 Government Innovation Awards
    Government Innovation Awards -

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected