DNSSEC

DNSSEC is an extension of the current DNS protocol, which adds security to the use of domain names. All domain names can make use of this technology, but have to request use of it through the registrar of the domain first. DNSSEC protects the DNS protocol from tampering and functions as a base for other security measures, such as DANE.

What is DNS

The task of the Domain Name System (DNS) is to convert domain names to IP addresses (and vice versa). In doing so, it functions as an internet based address book of sorts. Clients navigating to, for example www.yourdomain.com, will use a name-server which will lookup the IP address belonging to the URL and provide the client with that information. Other internet protocols, such as e-mail, also make use of this system.

What is DNSSEC

The original DNS system was constructed as a simple distribution system and therefore made little use of security measures. DNSSEC consists of a set of expansions that add an additional layer of security to the original DNS protocol. Clients supporting these expansions receive the address information and an added digital signature from the name server. By adding this signature, manipulation of the data traffic between the IP address and the domain name is prevented. The use of DNSSEC increases steadily: Het gebruik van DNSSEC groeit gestaag: the number of .nl domains using DNSSEC has increased from 1,5 million in 2013 to 2.7 million in August 2017.

How does it work

DNSSEC is short for Domain Name System Security Extensions. The protocol adds a public key to the information sent back to the client by the name server. The registrar of the domain has previously given the correct public key belonging to the domain in question to name server of the central register for the domain name (for co.uk names this is Nominet), thereby placing it one step higher in the DNS hierarchy. By doing so, the name server of the central register becomes a so-called 'trust anchor', which can be used by the client to check whether the public key sent back with the information from the name server is the same as the public key that is known to the name servers of the trust anchor. This builds a chain of trust across the different levels of the DNS hierarchy.

DNSSEC enables the client to verify the origins of the sent DNS data, and receive verified feedback that the public keys that are compared are identical. This makes it possible to check whether or not the information that was sent was modified by a third party.

It is possible for servers and clients using DNSSEC to work with systems that do not use DNSSEC. In these cases the DNS information will not be encrypted though.

While applying

At the moment, the DNSSEC of users is checked when they place an order on our website. When issues with the DNSSEC are detected, the user is informed that the domain does not have a valid DNS record, but will still be able to place orders.

Useful tools

  • https://os3sec.org/ - A Firefox plugin to analyse a domain's DNS (including DNSSEC)
  • DNS Check - Including DNSSEC. This test was made available by the organization SIDN, which is the Dutch equivalent to Nominet.

SSLCheck

Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues