In recent years, online security has understandably increased in importance. One thing every website can do to promote better security is the adoption of Domain Name System Security Extensions (DNSSEC).
DNSSEC adds a special digital signature to a domain’s DNS to assert the authenticity of that domain name’s origin. Why is this valuable? DNSSEC addresses a certain category of security risks and helps prevent malicious activities such as cache poisoning, pharming, and man-in-the-middle attacks.
Let’s review how this actually works in practice.
Let’s say you open your browser and type a domain name like blog.tophosting.llc into the address bar. In order to open this website, a resolver must first take the domain name and translate it into a numeric address (IP address) that identifies your site. DNS is like the phone book of the Internet.
Unfortunately, the DNS protocol is not always as secure as it could be. In fact, it is possible for a hijacker to interrupt the above process, identify its own IP address with the domain the user has typed into its address bar, and ultimately send the user to a different website (which may be deceptively styled to mimic the original) where valuable account and password information can be stolen.
It is these types of activities that have made it necessary to increase security with the use of DNSSEC. DNSSEC has this resolver first check the domain’s digital signature and compare it to one that is on file in the registry. If the signature does not match, it could mean that someone is impersonating your website and the process is interrupted to protect the visitor.
Think of DNSSEC as the key that must fit into the lock before the door between a domain name and that site’s IP address can be opened.
By securing the directory search, DNSSEC takes care of a crucial part of Internet security. Once you have connected to the website in question, HTTPS can protect the visitor from there on. These two systems are complementary.
The DNSSEC verification process provides users with three significant benefits:
- Data Origin Authentication – This feature further validates authoritative sources, making it harder for malicious third parties to implement man-in-the-middle attacks.
- Data Integrity: In this process, records are cryptographically signed. If they were modified during the master/secondary zone, it will appear when resolving a record.
- Authenticated Denial of Existence: If a query has no data, authoritative servers can provide a response, proving that no data exists.
With all these benefits, you might be surprised to find that DNSSEC is still not widely used. By some estimates, less than 10% of all sites currently use this technology. Still, adoption is increasing every year, and DNSSEC is becoming a powerful tool in the development of a safer and more trustworthy Internet.
How does DNSSEC actually help you? For one, it shows your customers that your company cares about their security. When it comes to security-conscious people, it also makes it less of a concern for them to use your site and especially to send transactions through it.