When a DNS server receives a reply to a recursive query from another name server, it has no way of knowing whether the record received is authentic. Thus, even if it does not intend to, this DNS server could lead users to a phishing site where anything from identity theft to unauthorized online purchases could happen. Such is the nature of most DNS servers today – unsecured, vulnerable and easily hi-jacked by anyone with bad intentions who knows what he is doing.

Fortunately, there’s DNSSEC. Short for DNS Security Extensions, DNSSEC is touted as the ultimate protection against identity thefts and other cyber-crimes that usually begin from unsecured DNS servers. With DNSSEC, a DNS server is able to verify the source of every record it receives before passing it on to end-users. This prevents any possibility that an online shopper will be redirected to a bogus payment site where nefarious characters could steal his credit card information.

Think of DNSSEC as similar to encashing a cheque. The cheque has to contain the signature of the drawer, which the bank verifies by comparing it with those on his signature card stored in the bank’s vault. The drawer in this analogy is the authoritative name server in the current domain name system, while the bank is a caching or recursive server. What DNSSEC represents are the signature and the process of verifying it, which is not being done by existing DNS servers.

The Internet today is unsafe because DNS servers cannot distinguish between fake and authentic records. With DNSSEC, DNS records on the public Internet can be easily verified by comparing the signatures in them using the “trusted keys” stored in validating name servers. When a DNSSEC-enabled name server receives a record (IP address) it cannot verify, it will discard that record; thus, preventing you from getting to that website. Below is a typical flow of a DNS query going through the DNSSEC validation process.

The SolidDNS™ DNSSEC Solution

By its own admission, enabling a native BIND name server to support DNSSEC, according to its maker Internet Systems Consortium, would take several steps. And that's just to switch "on" DNSSEC. The process for signing zones, adding trusted keys, and performing key rollovers require separate steps and a certain level of expertise.

In SolidDNS™, most DNSSEC related operations are reduced to a few mouse clicks. Consider the following:

• Enabling DNSSEC -- two clicks
• Signing zones -- two clicks
• Enabling NSEC3 -- two clicks
• Adding trusted keys -- two clicks
• Performing emergency key rollover -- one click

Once again, SolidDNS™ simplifies what is otherwise a painful and complex procedure to deploy DNSSEC.

BUY NOW!

For more detailed discussions on DNSSEC, follow these links:

Why do you need DNSSEC?
DNSSEC Case Study: .my DOMAIN REGISTRY
DNSSEC Deployment Initiative

Some relevant RFCs:

4033 DNS Security Introduction and Requirements
4034 Resource Records for the DNS Security Extensions
4035 Protocol Modications for the DNS Security Extensions
4431 The DNSSEC Lookaside Validation DNS Resource Record
5074 DNSSEC Lookaside Validation
5155 DNS Security (DNSSEC) Hashed Authenticated Denial of Existence