DNS Security Extensions

Understanding DNS Security Extensions

To understand the importance of DNS Security Extensions (commonly referred to as DNSSEC) it helps to be aware of the weaknesses of the domain name system (DNS). The DNS can be likened to a publicaly available address book, letting computers know where to send and receive data from. The problem is that the computer does not validate any of the addresses that it is given, it will blindly give and retreive information to the address that it finds in the book.

Email Servers Vulnerability

The Domain Name System (DNS) is used by email servers for message routing, so of course they are susceptible to the security flaws inherent in the original DNS design. Back in 2014 researchers investigating email routing discovered that emails were being sent via imposter mail servers instead bona fide ones (e.g. Google, Yahoo!, Hotmail, etc.). These imposters were using an age old deficiency in the Domain Name System design where it does not validate the routing addresses that it is given.

The IETF's Answer

The IETF's (Internet Engineering Task Force) answer to this deficiency is DNS Security Extensions (DNSSEC) — a suite of specifications for securing DNS with an authoritative level of authentication.

A Short Explanation Of DNSSEC

DNSSEC is essentially the addition of cryptographic signatures to the DNS zone file records for each domain name. Each record type (e.g. A, AAAA, MX, CNAME, TXT etc.) has its own digital signature stored in the zone file. So, every DNS record request can be authenticated and verified that it has come from an authoritative name server by testing that its associated digital cryptographic signature is valid.

The Benefits Of DNSSEC

The chief safeguard provided by DNSSEC is the inhibition of third-parties ability to falsify DNS records and maintains a domain's integrity by averting:

DNS Cache Poisoning:
also known as DNS Spoofing; is where fake Domain Name System data is infiltrated into the DNS resolver's cache, causing incorrect records to be returned by the name server, (e.g. A Record, CNAME Record, IP Address, etc.). The result of which is that legitimate network traffic is redirected to an erroneous server, which could have been set up for unlawful purposes.
Forged Zones:
DNSSEC additionally shields against mischievous DNS violations which can take advantage of the flaw in the DNS system to serve up fictitious returns for zones that don't even exist, basically exploiting the holes between unsigned zones. The framework of DNSSEC ensures that these holes between unsigned zones are sealed securely — known as authenticated denial of existence.

Further Reading Resources