As it turned out, not many people know what DNSSEC is, what it is for, and why it is worth implementing. Let’s dive deeper to understand how the system actually protects internet users.
Initially, the domain name system had no mechanisms to protect against information substitution in the response — the system architecture is designed in such a way that both the request and the response are transmitted in plain text.
To communicate with another user over the Internet, you must enter the appropriate address in the computer: name or number. This address must be unique so that computers can find each other. ICANN (The Internet Corporation for Assigned Names and Numbers) coordinates these unique identifiers throughout the world. Without this, there would be no global Internet. When you enter a name, the system must first convert it to a numeric address, and then it can establish a connection. This system is called a domain name system (DNS), and it converts names, such as www.blog.rokkex.com, into numbers called Internet Protocol Addresses. ICANN coordinates the addressing system to ensure that all addresses are unique.
Resolver judged the accuracy of the information received only by the request identifier, which is only 2 bytes long. Thus, to send the cache, you just had to go through 65,536 values. Soon the vulnerability was discovered in the DNS that allowed an attacker to intercept the search process by the name of a person or site on the internet. The purpose of the attack was to seize control of the session in order, for example, to direct the user to the attacker’s website to obtain an account and password.
The need to reduce the vulnerabilities led to the introduction of a technology called DNSSEC (DNS Security Extension) released in 1997, two years later the next one appeared. In 2005, the new DNSSEC edition appeared, which is widely used today. A landmark event happened in 2008 when Dan Kaminsky showed the world that you can send a cache in 10 seconds.
How DNSSEC works
To create a signature, the following keys are used:
- KSK (Key Signing key) — the master key or key to sign other keys (long-term use key).
- ZSK (Zone Signing Key) — the key to sign the zone (short-term use key).
The digital signature entry is called RRSIG.
DNSSEC provides a secure domain name system by supplementing cryptographic signatures to existing DNS records. The digital signatures are stored in DNS name servers adjacent public record types. By comparing its associated signature, you can confirm that a requested DNS record comes from its authoritative name server and wasn’t changed en-route, opposed to a fake record introduced in a man-in-the-middle attack.
Why DNSSEC is secure
Through brute force or other attack methods, the attacker needs to determine the closed half (KSK) of the public-private key pair used to create a signature confirming the validity of the DNS record. DNSSEC prevents these hacking attempts by using a short-term use key (ZSK) to regularly calculate the DNS record signatures and a long-term use key (KSK) to calculate the ZSK signature.
The ZSK key changes often, so for the attacker it gets harder to guess it, while the longer KSK key changes much less frequently (the best is once a year). Since the KSK key signs the ZSK key that signs the DNS records, to check the DNS records in the zone, you only need to know the KSK key.
HTTPS VS DNSSEC
Similar to HTTPS, DNSSEC adds a layer of security by enabling authenticated answers on top of an otherwise insecure protocol. Whereas HTTPS encrypts traffic so nobody on the wire can snoop on your Internet activities, DNSSEC merely signs responses so that forgeries are detectable. DNSSEC provides a solution to a real problem without the need to incorporate encryption.
How DNSSEC strengthens the security of an internet user
Using DNSSEC technology at each stage allows you to be sure that the end user is connected to your authentic website or another service that corresponds to a specific domain name. Although this technology does not solve all Internet security problems, it does protect an important part of it — directory searching — complementing other technologies, such as SSL (https :), which protects information sharing and provides a platform for further development to improve security.
At ROKKEX, we take security extremely seriously and our crypto exchange is built on ‘Security First’ principle. We want to share our expertise with the broader public for the world to become happy, safe, and wise.
If you have any ideas and suggestions, contact us at