Skip to main content
0
  1. Wiki/

Email Encyclopedia: What is DNSSEC

Alibaba Mail More Products and Services

DNSSEC (Domain Name System Security Extensions) is a technological extension designed to enhance the security of the Domain Name System (DNS). It provides source authentication and data integrity protection for DNS data, preventing attacks such as DNS spoofing and DNS cache poisoning, thereby improving the overall security of the internet.

DNSSEC is not designed to encrypt DNS query content, but rather to ensure the authenticity and integrity of DNS response data. It uses public key cryptography to add digital signatures to DNS records, ensuring that clients (such as users’ computers or network devices) can verify whether the DNS information received truly comes from legitimate authoritative servers and has not been tampered with during transmission.

Background and Necessity #

DNS Vulnerabilities #

DNS is an essential component of internet infrastructure, responsible for converting human-readable domain names (such as www.example.com) into corresponding IP addresses (such as 192.0.2.1) to enable communication between devices. However, the original DNS protocol did not consider security in its initial design, thus presenting multiple potential attack surfaces.

One of the most common attack methods is DNS cache poisoning. Attackers can forge DNS responses, directing users to malicious websites to conduct phishing, malware distribution, or data theft. For example, when a user attempts to access a banking website, attackers might tamper with DNS responses to redirect the user to a visually similar phishing site, thereby stealing the user’s login credentials.

Introduction of DNSSEC #

To address these security threats, the IETF (Internet Engineering Task Force) published RFC 2065 in 1997, introducing the DNSSEC framework for the first time. Subsequently, after multiple revisions and improvements, the standardization of DNSSEC was gradually refined. RFC 4033, RFC 4034, and RFC 4035, published in 2005, further clarified the implementation specifications of DNSSEC.

How DNSSEC Works #

DNSSEC implements security verification by adding digital signatures to DNS records. Its core idea is to use a Public Key Infrastructure (PKI) to ensure that DNS responses come from verifiable sources and that the data has not been tampered with.

Digital Signature Mechanism #

In DNSSEC, each DNS zone generates a pair of keys: the Zone Signing Key (ZSK) and the Key Signing Key (KSK).

  • ZSK is used to sign DNS records within the zone.
  • KSK is used to sign the ZSK, forming a chain of trust.

When a client initiates a DNS query, the DNS server returns DNS records with digital signatures. The client uses the zone’s public key to verify the validity of the signature, thus confirming the authenticity of the response.

Verification Process #

  1. Request DNS Records: The client requests the IP address of a domain name from a recursive DNS server.
  2. Recursive Query: The recursive server requests data from the authoritative DNS server.
  3. Obtain Signed Records: The authoritative server returns DNS records with signatures (including RRSIG records) and the corresponding public key (DNSKEY record).
  4. Verify Signature: The recursive server uses the public key to verify whether the signature is valid.
  5. Return Results: If verification passes, the recursive server returns the result to the client; otherwise, it discards the response and may attempt to query again.

Chain of Trust and Root Key #

The security of DNSSEC relies on a chain of trust. Each parent zone signs the public key of its child zone, forming a top-down verification path. For example:

  • The root zone (.) signs the public keys of top-level domains (such as .com, .org).
  • Top-level domains sign the public keys of their next-level subdomains (such as example.com).
  • Subdomains then sign their subdomains or host records.

In the root zone, IANA (Internet Assigned Numbers Authority) maintains the Root KSK, which is collectively managed by globally trusted institutions to ensure its security.

Key Record Types in DNSSEC #

DNSSEC introduces several new DNS record types to support security verification:

Record Type Name Description
RRSIG Resource Record Signature Digital signature of DNS records
DNSKEY DNS Key Record Zone’s public key, used to verify signatures
DS Delegation Signer Points to the hash of the lower-level zone’s public key, used to establish the chain of trust
NSEC/NSEC3 Next Secure/NSEC3 Used to prove that a record does not exist, preventing forged negative responses

NSEC and NSEC3 #

When a client queries a non-existent domain name, DNS servers typically return an empty response. Attackers might forge such responses to mislead clients. To prevent such attacks, DNSSEC introduced NSEC and NSEC3 records.

  • NSEC: Directly lists the next domain name that exists in the zone, used to prove that a certain domain name does not exist.
  • NSEC3: Introduces hash functions based on NSEC to prevent attackers from guessing all domain names in the zone through traversal.

Current Deployment Status of DNSSEC #

Although DNSSEC was proposed in the 1990s, its deployment has been relatively slow, mainly due to:

  1. Complexity: The configuration and management of DNSSEC are relatively complex, especially key management, signature updates, and zone maintenance.
  2. Compatibility Issues: Some older DNS software or devices do not support DNSSEC, making deployment difficult.
  3. Lack of User Awareness: Many users and organizations lack awareness of DNS security and consider the risk of DNS attacks to be low.
  4. Performance Overhead: DNSSEC increases the data volume and processing time of DNS queries, potentially affecting network performance.

However, with the increase in network security threats, the deployment of DNSSEC is gradually advancing. As of 2024, all major top-level domains worldwide (such as .com, .net, .org, .gov, .mil) support DNSSEC, and the root zone has also completed DNSSEC deployment.

Advantages and Limitations of DNSSEC #

Advantages #

  • Prevents DNS Spoofing and Cache Poisoning: Ensures the authenticity and integrity of DNS response data.
  • Enhances Chain of Trust: Establishes end-to-end trust verification through a hierarchical signing mechanism.
  • Supports Modern Network Security Architecture: As an important component of internet infrastructure, it enhances overall network security.

Limitations #

  • Does Not Provide Encryption: DNSSEC only verifies data integrity and does not encrypt query content, so it cannot prevent DNS queries from being monitored.
  • Cannot Defend Against DDoS Attacks: DNSSEC cannot block Distributed Denial of Service (DDoS) attacks targeting DNS servers.
  • High Management Complexity: Requires regular key updates and zone re-signing, resulting in higher maintenance costs.
  • High Deployment Costs: Requires updating DNS server software, configuring signing mechanisms, and may involve additional hardware or services.

Combining DNSSEC with Modern DNS Security Technologies #

To further enhance DNS security, DNSSEC is often used in combination with other DNS security technologies:

  • DNS over HTTPS (DoH): Encrypts DNS queries through the HTTPS protocol to prevent monitoring.
  • DNS over TLS (DoT): Uses the TLS protocol to encrypt DNS traffic, enhancing privacy.
  • DANE (DNS-based Authentication of Named Entities): Uses DNSSEC to verify TLS certificates, enhancing website identity verification.
  • RPKI (Resource Public Key Infrastructure): Used to verify IP address ownership, preventing route hijacking.

The combination of these technologies can build a more secure and trustworthy internet infrastructure.

How to Enable DNSSEC #

Enabling DNSSEC typically requires the following steps:

  1. Choose a DNS Server Supporting DNSSEC: Such as Bind, Knot DNS, NSD, etc.
  2. Generate Key Pairs: Create ZSK and KSK.
  3. Sign Zone Files: Use ZSK to sign DNS records within the zone.
  4. Configure DS Records: Submit DS records to the parent zone (such as the registrar) to establish the chain of trust.
  5. Regularly Update Keys and Signatures: Ensure key security and maintain signature validity.

For ordinary users, typically all that is needed is to use a recursive DNS resolver that supports DNSSEC (such as Cloudflare 1.1.1.1, Google Public DNS, etc.) to enjoy the security protection provided by DNSSEC.

Summary #

DNSSEC is an important internet security technology designed to address inherent security flaws in the DNS protocol. It ensures the authenticity and integrity of DNS responses through a digital signature mechanism, preventing attacks such as DNS spoofing and cache poisoning. Although deployment and management are relatively complex, with the intensification of network security threats, the popularization and application of DNSSEC are gradually expanding. Combined with other DNS security technologies, DNSSEC helps build a more secure and reliable internet environment.