DNS Security: DNSSEC Explained

The Domain Name System was designed in the 1980s without security in mind. DNSSEC (DNS Security Extensions) was created to fix that by adding cryptographic authentication to DNS responses.

The Problem: DNS Cache Poisoning

Without DNSSEC, DNS is vulnerable to cache poisoning (also called DNS spoofing). An attacker can inject false DNS records into a resolver's cache, redirecting users to malicious websites without their knowledge.

Imagine typing your bank's URL and being silently redirected to a perfect phishing copy. That's what cache poisoning enables.

How DNSSEC Works

DNSSEC uses public-key cryptography to sign DNS records. Here's the simplified process:

1. Zone signing — The domain owner signs their DNS records with a private key, creating RRSIG (Resource Record Signature) records.
2. Public key publication — The corresponding public key is published as a DNSKEY record in the zone.
3. Chain of trust — The parent zone (e.g., .com) stores a DS (Delegation Signer) record that links to the child zone's DNSKEY, creating a chain of trust up to the root.
4. Validation — Resolvers verify each signature in the chain. If any signature is invalid, the response is rejected.

DNSSEC Record Types

• RRSIG — Contains the digital signature for a DNS record set.
• DNSKEY — Contains the public key used to verify RRSIG signatures.
• DS — Delegation Signer record stored in the parent zone, linking to the child's DNSKEY.
• NSEC/NSEC3 — Provides authenticated denial of existence (proves a record doesn't exist).

Should You Enable DNSSEC?

Arguments for:

• Protects against cache poisoning attacks
• Ensures DNS response integrity
• Required for some security-sensitive applications
• Free to enable with most DNS providers

Arguments against:

• Adds complexity to DNS management
• Can cause outages if misconfigured (especially during key rollovers)
• Must be disabled before domain transfers
• Increases DNS response sizes

How to Enable DNSSEC

1. Check provider support — Confirm your DNS provider supports DNSSEC. Cloudflare, Route 53, and Google Cloud DNS all do.
2. Enable at your DNS provider — Most providers have a one-click enable option. This generates the DNSKEY records and signs your zone.
3. Add DS record at your registrar — Copy the DS record details from your DNS provider and add them at your domain registrar. This creates the chain of trust.
4. Verify — Use online DNSSEC validators to confirm everything is working.

Verifying DNSSEC

Check if a domain has DNSSEC enabled:

dig +dnssec example.com A
dig DS example.com @8.8.8.8

Look for the ad (authenticated data) flag in the response header, which indicates the response was DNSSEC-validated.

Common DNSSEC Pitfalls

• Forgetting to disable before transfers — DNSSEC configurations don't transfer. Disable it, transfer, then re-enable.
• Key rollover failures — DNSSEC keys must be periodically rotated. Choose a provider that handles this automatically.
• DS record mismatch — If the DS record at the registrar doesn't match the DNSKEY at your DNS provider, your domain becomes unresolvable.

DNSSEC is a valuable security layer for your domain. If your DNS provider supports one-click DNSSEC, it's worth enabling — just understand the implications for domain transfers and key management.