Today we’re back to talking about DNS. The DNS system is incredibly helpful for all of us internet citizens, but it didn’t come with any built in security features. This critical part of internet infrastructure had to have something. Enter DNSSEC.
DNSSEC is short for Domain Name System Security Extensions. The objective of DNSSEC is to address some of the issues DNS data has experienced. It is important to note, that this set of extensions does not provide data confidentiality or availability protections.
Operation
The basic operation of DNSSEC uses digital signatures. When a DNS record is requested, the DNS server will sign the record that it sends to the requester. This way, if an attacker were to attempt to poison the DNS cache, they would not be able to digitally sign the record that was sent back. That way, the client is able to verify, through a public-key encryption method, the integrity of the data that it is being served.
It is critical to understand that this protection will not protect against something like a DNS zone transfer. This is when an attacker tries to retrieve the records of a DNS server. They try to perform an operation that is normal between 2 DNS servers, but should not be allowable between an external IP address and a DNS server.
Issues
DNSSEC has had issues in deployment. It is intended to be backwards compatible between older infrastructure, but it also has problems in scaling to the size of the internet. There are also many different kinds of DNS servers and clients, making compatibility even tougher to reach and maintain. It has also proved more strenuous than first thought for admins to adopt the protocol due to its perceived complexity. Though the protocol has been added to more and more of the internet since the late 2000s, it is delayed due to factors like the above.
Other
DNSSEC is not the only DNS security protocol. There is also DNSCrypt, which attempts to address the confidentiality part of DNS records, and keeping them unreadable by unwanted third parties. This works similar to DNSSEC.