The Domain Name System (DNS) plays a pivotal role in facilitating communication between clients and servers by converting domain names into IP addresses, ensuring the functionality of the Internet.
However, the DNS has revealed vulnerabilities over time, enabling hackers to infiltrate sessions and trick users into providing sensitive information to fraudulent websites.
To counter this, DNSSEC technology has been introduced to enhance the security of this crucial component of the Internet’s infrastructure. Following the worldwide trend of end-to-end deployment, we are now implementing DNSSEC on our platform as well.
How does the process of DNS lookups function?
DNSSEC, which stands for Domain Name System Security Extensions, is designed to rectify the security vulnerabilities within the DNS lookup procedure.
To gain a better comprehension of DNSSEC, let’s examine the sequential steps of the DNS lookup process:
- Upon a user entering a website’s address (e.g., WWW.DOM.COM) in their browser, a query for additional information regarding .COM is dispatched to the root zone.
- With this information obtained, a subsequent query is dispatched to the .COM zone to obtain information about DOM.COM.
- Finally, the DOM.COM zone is queried to obtain the IP address of WWW.DOM.COM. Subsequently, the browser receives a response containing the IP address.
The diagram below visually illustrates the outlined stages of the DNS lookup process:
These various zones are under the management of distinct entities: ICANN oversees the root zone, domain registries (e.g., VeriSign) manage TLDs like .COM, and domain registrars (such as LiquidNet) administer domains like DOM.COM.
What does DNSSEC entail?
In recent years, an age-old weakness within the DNS lookup process has resurfaced.
Cybersecurity experts discovered that the Domain Name System lacks the capability to ensure the complete authenticity and unaltered nature of data provided in response to a DNS query. This deficiency arises from the absence of credential verification during the execution of a DNS lookup.
This vulnerability serves as an entry point for malicious actors to exploit the DNS lookup process, gaining control of a session and subsequently using it for their phishing endeavors.
This is precisely where the DNSSEC security protocol comes into play.
How does DNSSEC mitigate the vulnerability of the DNS?
DNSSEC introduces an additional layer of security to ensure that end users connect with the legitimate website or associated service linked to a particular web address.
This is achieved through the validation of DNS responses using digital signatures at each step of the query process.
By safeguarding the lookup procedure, DNSSEC complements the HTTPS security protocol, which encrypts data exchanged between browsers and servers during their interactions.
Differing from HTTPS, DNSSEC doesn’t encrypt data, but instead incorporates a series of digital signatures into the aforementioned DNS lookup process.
These signatures are generated using specific keys, which require validation from higher-level entities. For instance, .COM is responsible for signing DOM.COM’s key, and the root signs .COM’s key, forming a hierarchical structure.
During validation, each parent zone signs the key of the subordinate zone beneath it, creating a “chain of trust” connecting them.
The digital signatures and their corresponding keys are stored in name servers, alongside typical record types like A, AAAA, MX, CNAME, and more.
By inspecting the signature associated with the requested DNS record, it’s possible to ascertain whether the record originates from its authoritative name server or if it has been tampered with en route, potentially as part of a man-in-the-middle attack.
How is DNSSEC validation executed?
DNSSEC introduces several new DNS record types, which store the necessary signatures and their verification keys:
- RRSIG: Contains the cryptographic digital signature.
- DNSKEY: Contains keys for verifying the digital signature.
- DS: Delegation Signer records facilitate the transfer of authentication responses between distinct zones in the DNS lookup chain.
The interaction between these records enables the validation of DNS records (referred to as DNSSEC validation).
Let’s examine how RRSIG and DNSKEY collaborate to secure a given DNS zone:
- DNS records of the same type (A, AAAA, MX, CNAME, etc.) are grouped into an RRset (resource record set) for collective validation.
- A pair of zone-signing keys (ZSKs) – private and public – are generated.
- The private ZSK creates a digital signature for the RRset, stored as an RRSIG record in the name server.
- The signature in the RRSIG record is verified by the public ZSK, present in a DNSKEY record.
- A pair of key-signing keys (KSKs) – private and public – are generated to validate the DNSKEY for the ZSK.
- The private KSK creates a digital signature and an RRSIG for the public ZSK.
- The signature in the RRSIG record is verified by the public KSK, stored in another DNSKEY record.
Now let’s explore the process when a DNS query is sent to the zone:
- The client sends a request to specific DNS records; the corresponding RRset is queried, returning its RRSIG record containing the signature.
- DNSKEY records (with public ZSK and KSK keys) are used to retrieve the RRSIG record from the name server.
- The RRSIG of the RRset is validated using the public ZSK.
- The RRSIG of the DNSKEY is validated using the public KSK.
This outlines how a DNS query is validated within a particular zone. However, as illustrated, the lookups traverse the entire DNS hierarchy, from the root zone to the specific web address.
To convey validation results from one zone to the lower zone, DS records are introduced.
Parent zones publish DS records containing a hash of the DNSKEY record, which houses the public KSK key (the final validation marker within a zone).
Thus, when a query is directed to a child zone, its parent zone supplies a DS record to confirm DNSSEC protection for the child zone.
The root DNS zone itself cannot generate a parent DS record. As a solution, a special root zone-signing key generation event, overseen by ICANN, occurs quarterly.
Through DS records, which link validated DNSSEC zones, trust is established across the DNS lookup chain.
The diagram below offers an overview of a DNSSEC-protected DNS lookup chain.
In the previously outlined DNS lookup example, with DNSSEC activation, the DNS lookup sequence will unfold as follows:A DNS query is initiated for WWW.DOM.COM, prompting the following actions:
- The pre-validated root zone, overseen by ICANN, participates in validating the .COM zone.
- The .COM zone, managed by VeriSign, contributes to authenticating the information provided by the DOM zone.
- The DOM zone participates in confirming the accuracy of the data returned for WWW.DOM.COM.
For instance, when requesting the A record for the DNSSEC-enabled DOM.COM, the resulting response will display an elevated “DO” (DNSSEC OK) indicator, accompanied by the corresponding RRSIG record.
Which generic top-level domains (gTLDs) are compatible with DNSSEC on our platform?
In our capacity as both a domain registrar and a web hosting provider, we extend DNSSEC support to the DOM.COM and WWW.DOM.COM zones within the DNS lookup chain.
Currently, our DNSSEC support is applicable to the .COM, .NET, and .BIZ gTLDs.
This signifies that we have the capability to publish the necessary DS records for any domain registered under these specific generic extensions.
Domain owners have the convenience of activating DNSSEC for their domains seamlessly through the Web Hosting Control Panel. Within the Hosted Domains section, a new column labeled DNSSEC will be visible.
To initiate DNSSEC for a particular domain, users only need to click on the corresponding DNSSEC icon.
This action will display a dialog box, where the domain owner will be prompted to make a selection of their preferred signature algorithm.
We recommend that domain registrants opt for RSA/SHA-256 as their preferred choice, or alternatively, they can choose RSA/SHA-1.
Please note: If a domain is not registered through our services, we will provide the corresponding DS records to the client. This allows them to include these records in their domain management account with the registrar they are currently using.
To obtain the DS records for your DNSSEC-enabled domain, you can click on the DNSSEC icon once more.
Inside the dialog box, you will find all the necessary DS details. Simply copy the information displayed and then paste it into the domain management panel provided by your domain’s current registrar.
DNSSEC holds significant importance for maintaining the reputation of your domain name. By ensuring that your visitors are not redirected to unauthorized servers and prevented from falling victim to phishing sites, you effectively safeguard their trust.
In the near future, we will be expanding the list of DNSSEC-compatible top-level domains (TLDs) on our platform. Keep an eye out for further updates on this matter.