DNSSEC is a security extension that authenticates DNS servers and provides data integrity. It was developed by IETF and uses public key authentication techniques. DNSSEC builds trust relationships between different levels of DNS hierarchy to share accurate DNS data. However, zone enumeration and backward compatibility issues arise. DNSSEC implementation began at the root level in 2009-2010, and modern computer operating systems come with DNS security extensions.
Domain Name System (DNS) Security Extensions (DNSSEC) are a means of protecting the Internet and its users from possible attacks that could disable or hinder access to essential naming services on the Internet. Security extensions create a way for DNS servers to continue to provide their Internet Protocol (IP) address translation functions, but with the additional provision that DNS servers authenticate each other by creating a set of trust relationships . Through the extensions, the data shared between DNS servers also achieves a level of integrity that is normally difficult compared to the existing protocol by which the data is transferred.
Originally, DNS was created as a public, unsecured distribution of names and their associated IP addresses. As the Internet has grown, however, a number of issues have developed around DNS security, privacy, and DNS data integrity. As far as privacy issues are concerned, the problem was addressed early on by properly configuring the DNS servers. However, it is possible for a DNS server to be subject to a number of different types of attacks, such as Distributed Denial of Service (DDoS) and buffer overflow attacks, which can affect any type of server. Specific to DNS, however, is the problem of some external sources poisoning the data by introducing false information.
DNSSEC was developed by the Internet Engineering Task Force (IETF) and detailed in several Request for Comment (RFC) documents, 4033 to 4035. These documents describe DNS security as achievable through the use of public key authentication techniques . To alleviate processing on DNS servers, only authentication techniques are used and not encryption.
The way DNSSEC works is by building trust relationships between different levels of the DNS hierarchy. At the top level, the root domain of the DNS is established as the primary intermediary between lower domains, such as .com, .org, and so on. Subdomains then look to the root domain, acting as a so-called trusted third party, to validate each other’s credibility so they can share accurate DNS data with each other.
One problem that arises as a result of methods described in RFCs is called zone enumeration. It becomes possible for an outside source to learn the identity of every named computer on a network. Some controversy has developed with DNS security and the zone enumeration issue due to the fact that even though DNS was not originally designed for privacy, various legal and governmental obligations require that data remain private. An additional protocol, described in RFC 5155, describes a means of implementing additional resource records in DNS that may alleviate the problem, though not remove it entirely.
Other issues with implementing DNS security revolve around backward compatibility. The protocols implemented must be universal and, therefore, understood by all computers, servers and clients that use the Internet. Because DNSSEC is implemented through software extensions to DNS, however, some difficulties have arisen in successfully updating older systems to support the new methods. However, implementation of DNSSEC methods began at the root level in late 2009 and early 2010, and many modern computer operating systems come with DNS security extensions.
Protect your devices with Threat Protection by NordVPN
