DNS gets more secure

DNSSEC (DNS Security Extensions) is a security extension to the domain name system (DNS). DNSSEC protected domains are cryptographically signed, and this makes it possible to check that the reply to a domain lookup comes from the correct source of origin, and that the lookup remains unchanged.

logo:DNSSEC When you lookup a domain name, a call for an IP address initiates a search in DNS, which is used to contact the server hosting the service that you want to access. Basically DNS does not secure that the an answer comes from the correct source of origin. This means that a scammer may falsify an answer and lead you to another IP address than the one affiliated to the domain. You may for example be lead to a website looking similar to the web shop you tried to reach, but the site is actually run by a server controlled by a scammer.

DNSSEC offers a solution to this problem. When a domain is DNSSEC secured, all answers to lookups will be cryptographically signed. This makes it possible to check that the reply to the lookup comes from the correct source of origin, and that the lookup remains unchanged.

The signature is made by means of a private key, which is available only to the one running the domain. The signature is checked by the server doing the lookup in DNS, which then fetches the public key for the domain. Then the key and the signature are combined to check the answer. Thanks to the hierarchy of DNS, a scammer cannot both give false keys and false answers. The public key is part of an unbroken and trusted chain of keys, all the way up to the top level. To make DNSSEC to work, every link of the chain must be DNSSEC secured. A chain is only as strong as its weakest link.

DNSSEC solves the problem with false answers to lookups in DNS. It is however important to be aware that DNSSEC is a small part of a big puzzle of security actions needed to make you and me secure on the Internet. DNSSEC makes sure that you come to the web address you want to reach, but does not make the content more secure.

Last updated 2015 or before