What Are Domain Name System Security Extensions?
Domain name system security extensions (DNSSEC) are a set of protocols that add a layer of security to the domain name system (DNS) lookup and exchange processes, which have become integral in accessing websites through the Internet. While DNSSEC cannot protect how data is distributed or who can access it, the extensions can authenticate the origin of data sent from a DNS server, verify the integrity of data and authenticate nonexistent DNS data.
Understanding DNSSEC first requires a basic knowledge of how website addresses work. The actual Internet protocol (IP) addresses used by websites are a series of numbers separated by dots. Although this address system is very efficient for computers to read and process, it is extremely difficult for people to remember. To solve this problem, domain names are attached to the numeric IP addresses. What has come to be known as website addresses are actually domain names.
Domain name information is stored and accessed on special servers, known as domain name servers, that convert domain names into IP addresses and vice versa. The top level of the DNS resides in the root zone where all IP addresses and domain names are kept in databases and sorted by top-level domain name, such as .com, .net and .org.
When DNS was first implemented, it did not include any security, and soon after being put into use, several vulnerabilities were discovered. As a result, a security system was developed in the form of extensions that could be added to existing DNS protocols. This system was later vetted, modified and approved as a standard by the Internet Engineering Task Force (IETF).
After several test deployments, beginning in 2007, DNSSEC was officially deployed on the root level in 2010 for addresses using the .org top-level domain. In late 2010 and 2011, .com, .net and .edu top-level domains were updated for DNSSEC, and implementation continues for country-specific top-level domains. By November 2011, over 25 percent of all top-level domains had been included.
How DNSSEC Works
The original purpose of DNSSEC was to protect Internet clients from counterfeit DNS data by verifying digital signatures embedded in the data. If the digital signatures in the data match those that are stored in the master DNS servers, then the data is allowed to continue to the client computer making the request.
DNSSEC uses a system of public keys and digital signatures to verify data. These public keys can also be used by security systems that encrypt data as it is sent through the Internet and then decrypt it when it is received by the intended recipient. However, DNSSEC cannot protect the privacy or confidentiality of data because it does not include encryption algorithms. It only carries the keys required to authenticate DNS data as genuine or genuinely not available.
The implementation of DNSSEC required several new types of records to be created for DNS. These record types are as follows:
The RRSIG record is the digital signature, and it stores the key information used for validation of the accompanying data. The key contained in the RRSIG record is matched against the public key in the DNSKEY record. The NSEC family of records, including NSEC, NSEC3 and NSEC3PARAM, is then used as an additional reference to thwart DNS spoofing attempts. The DS record is used to verify keys for subdomains.
The specific process used for a DNSSEC lookup varies by the type of server used to make or send the query. Recursive name servers, often operated by Internet service providers (ISPs), use a unique process for DNSSEC validation. Servers running Microsoft Windows use what are known as stub resolvers, which also require a specific process.
No matter which process is used, the verification of DNSSEC keys requires starting points called trust anchors. Trust anchors are included in operating systems or other trusted software. After a key is verified through the trust anchor, it must also be verified by the authoritative name server through the authentication chain, which consists of a series of DS and DNSKEY records.
Issues with DNSSEC
While DNSSEC dramatically increases Internet security, recent discoveries have shown that it may cause a new vulnerability, which is known as zone enumeration. DNS zone data has traditionally been kept private because it includes network information for specific websites and servers. Anyone who can obtain this information would have a much simpler time preparing and implementing an Internet attack.
The original DNSSEC required that DNS servers reveal all DNS zone data so that a definitive report could be generated when a domain name is not found. However, newer versions of DNSSEC use one or more workarounds, which often make use of the NSEC3 records.