A word about DNSSEC

In a previous post, I mentioned that the DNSSEC  root zone signing keys are being changed.

Let’s take a closer look at the DNSSEC option, which became implemented in several countries and their domains at the end of 2014. The European Union has made a good video about it too: (European Union Structural Funds, 2014)

DNSSEC works in the way that it creates zones and secures it with a process called zone signing. This works without interfering with the basic DNS query and response, so it is backwards compatible. In a DNS query, the responses from DNSSEC protected zones are digitally signed. A DNS resolver (the client) is able to see if the information is untampered with by comparing it to the information published on an authorative DNS server. DNSSEC can protect any data published in the DNS including TXT and mail exchange records. (microsoft.com, 2014)

It seems that DNSSEC and IPsec can both be used together to provide the best security available. IPSec is used to provide security between data sent in a VPN and network, but receiving IP addresses from external networks can still be intercepted by man-in-the-middle attacks. This is where DNSSEC comes in to stop. Also, DNS is on layer 7 application and IPSec is layer 3 network, so layered security is always a good idea. (tech-faq.com, 2015)

On another note of interest, The National Institute of Standards and Technology of the US Government (USG) has a daily snapshot of the web with completed Ipv6 enabled US domains and worldwide domains and DNSSec enabled domains. Quite interesting! http://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-com (NIST, 2016)

 

 

Bibliography

Image source: Screenshot from video: European Union. (2014) What is DNSSEC? [Video] Available from: http://www.internet.ee/dnssec-en/take-a-look-at-the-video-what-is-dnssec (Accessed: 05.10.2016).

microsoft.com. (2014) Overview of DNSSEC [Online] Available from: https://technet.microsoft.com/en-us/library/jj200221.aspx (Accessed: 05.10.2016).

NIST. (2016) Estimating IPv6 & DNSSEC Deployment Status [Online] National Institute of Standards and Technology. Available from: http://usgv6-deploymon.antd.nist.gov/snap-all.html (Accessed: 05.10.2016).

tech-faq.com. (2015) The OSI Model – What It Is; Why It Matters; Why It Doesn’t Matter.[Online] tech-faq.com. Available from: http://www.tech-faq.com/osi-model.html (Accessed: 05.10.2016).

Cox, Joseph. (2016)  The Cryptographic Key That Secures the Web Is Being Changed for the First Time [Online] Available from: http://motherboard.vice.com/read/the-encryption-key-that-secures-the-web-is-being-changed-for-the-first-time (Accessed: 05.10.2016).