White paper

How to Implement and Manage DNSSEC

DNSSEC was the DNS industry’s response to solve an inherent vulnerability in the DNS query/answer integrity gap.  In this paper, we discuss:

  • What is DNSSEC
  • How it DNSSEC works
  • What can happen without DNSSEC
  • How to know if DNSSEC is working
  • How to implement and manage in four steps
  • Why systems automation is the only practical approach.

Learn how to protect your brand, keep your customers and audiences safe.


The Need for Comprehensive DNS Security

In a digital world, organizations and individuals rely on the internet daily for a limitless number of essential tasks. Internet users count on organizations to maintain online service availability and to protect their data privacy. Users need to be able to trust that digital brands are authentic i.e., that a brand web presence is who they say they are. Unfortunately, digital brand trust is increasingly threatened by vulnerabilities in the internet’s very foundation: The Domain Name System, or DNS.

Every single online action starts with the DNS. Whether for shopping, banking, paying a tax bill, or connecting with an enterprise service delivery system — any browsing purpose at all — the DNS directs requests to the online destinations, content and applications sought by users. The DNS is central to the internet and how it operates. It is this very criticality that has made the DNS vulnerable to abuse. Hijacking, spoofing, man-in-the middle attacks, and other threats that can disrupt an organization’s online operations with disastrous consequences for brand reputations and user security.

There are many best practice defences that infrastructure leaders need to ensure are covered when they define and implement DNS security policies to keep their networks fully operational, secure and customers safe. Those measures include the use of Domain Name System Security
Extensions (DNSSEC), Sending Policy Framework (SPF), Domain-based

Message Authentication, Reporting and Conformance (DMARC), Secondary DNS network and a security policy of HTTPS Everywhere. That policy then needs to be enforced with robust change management controls.

In this paper, we are taking a deeper dive into DNSSEC.

Domain Name System Security Extensions, or DNSSEC, helps defend against DNS security threats, specifically related to Man-In-The-Middle (MITM) and DNS Hijacks. While DNSSEC is extremely effective, many organizations have not yet adopted DNSSEC simply because it is challenging to set up and manage over the lifecycle of a domain and the larger portfolio of domains.

Traditional, manual practices for DNS management and the common practice of using multiple DNS services have made DNSSEC deployment cumbersome, inefficient, and costly. There is a solution: consolidating all domains and DNS services under a unified, automated environment can simplify and secure organizations’ at-risk internet operations.

In this guide to DNSSEC, we will explain what DNSSEC is, how it works, and why it’s important. We will also identify the obstacles to implementing DNSSEC and show how a simplified approach to DNS management makes effective deployment possible.


What is DNSSEC?

DNSSEC is a security protocol that validates DNS query responses. It protects internet users (clients) from forged DNS data in recursive servers, often referred to as DNS cache poisoning. DNSSEC uses tamper-proof, digitally signed keys to verify the authenticity of a domain’s zone files and sends internet users to the intended brand authentic destination.

Understanding what DNSSEC is requires looking at the DNS itself. The domain name system was developed in the 1980s to make the internet easier to use. It’s often described as a directory that translates the words, we type into a browser into an IP address where content is served. For example, apple.com is an easily remembered domain. The DNS translates the domain (URL) to an internet protocol (IP) address on the server(s) where Apple’s website is found – in this case, at time of writing 17.253.134.10. The DNS makes browser-based address queries significantly easier than an unwieldy list of millions of numeric IP addresses.

Ease of use and ubiquity are contributing factors to the evolving risks associated with the DNS. As the internet matured, it became apparent that there were many ways to abuse and misuse the DNS for malicious purposes. The DNS is not by design, very secure. It is a globally available list of web servers that make the internet available to all of us. For years, malicious parties have become inventively adept at compromising the DNS, by intercepting, forging and/or manipulating DNS query responses. As a result, internet users and organizations cannot always be sure that online content requested is in fact from a legitimate, authenticated source.

DNSSEC was the industry response to the authentication vulnerabilities inherent to the DNS. It was developed by the Internet Engineering Task Force (IETF) to counter the “impersonation” problems associated with the DNS. DNSSEC’s dual-encrypted signature keys ensure that the online content internet users request through their browsers returns legitimate, authenticated results from the Domain Name System. Without DNSSEC, organizations are vulnerable to their DNS systems (and customers) being compromised by way of MITM or DNS Hijacking.


How does DNSSEC work?

The DNS is organized into zones and uses resolvers to direct browser-based queries. To protect DNS zones, DNSSEC matches two digital keys, one public and one private. Together, digital signing (DS) keys validate the authenticity of DNS data. Cryptographic signatures ensure that DNS resolvers are locating the legitimate IP destinations instead of hijacked by recursive server cache poisoned DNS zone files. Keys themselves are signed as part of a digital chain of trust.

The private key is known only to the domain owner. When DNS data is requested a DSKEY is used to “sign” the data. The recursive DNS server compares the signature to the public key in the TLD registry records. If the keys match, the internet user receives the records that point to a host and gains access to the brand authentic website. If they are different, the records are assumed to be a forgery and the DNS data is dumped without being returned to the end user.

Download the full white paper to continue reading
Other white papers you may find useful
M&A Guide to Assess and Consolidate Domain Assets and DNS Networks Assessing and consolidating domains and DNS providers are crucial “pre” and “post” M&A deal priorities. You are not only buying the valuable assets, you are also buying the cyber security risk.   In this paper we discuss:  Introduction How due diligence teams can maximize deal value and mitigate post-close risk and cost. There are many […] Download the white paper
Why your Enterprise is Exposed on the DNS White paper
A CISO Brief: Why your Enterprise is Exposed on the DNS Lack of functional ownership over domain and external DNS security, combined with a lack of unified control systems to enforce DNS security policies are the top factors that expose your company and customers to external DNS vulnerabilities. Download the white paper
9 TLS and DNS Risks to Enterprise Security and Compliance white paper
9 TLS and DNS Risks to Enterprise Security and Compliance Eliminate known DNS and TLS problems that put your security and compliance at risk. Multiple, known weaknesses in the internet chain of trust put enterprise data security at risk. This white paper identifies 9 issues with DNS and TLS that organizations need to understand and address to ensure data is secure and customers are protected. […] Download the white paper
By using this website you agree to our use of cookies.
Learn more