Deploying DNSSEC

The Need for Domain Name System Security Extensions (DNSSEC)

Back in 1983 when the modern DNS was being defined (yes, ages ago!), security was not a top of mind issue. After all, the commercial internet had not yet been developed, computer networking was in its infancy and a virus was something that caused a cold.

Now the DNS underlies virtually all IP communications and the need for DNS security is much more understood.

A cornerstone aspect of DNS security is trust. How do we know for certain that a DNS response came from the server authorized to provide the response? How do we know that a DNS response has not been modified by an attacker who intends to redirect unsuspecting users to a fake web site in order to steal financial or confidential information? The scary answer is that we don’t  – unless we implement DNSSEC.

What is DNSSEC?

DNS Security Extensions (DNSSEC) was created to add critically needed trust to the DNS. The mandate adds digital signatures to DNS responses. These digital signatures can then be validated by the recipient to ensure that the DNS response is authentic and has not been altered in transit.  If someone tries to impersonate an authorized DNS server, the response is detected as bogus and discarded.  Likewise, if someone tries to forge a response, that too is detected and discarded. With DNSSEC, recipients know with certainty whether a response can be trusted or not. 

Deployment can defeat many of the attacks for committing fraud, including:

  • DNS Redirection Attack
  • Cache Poisoning
  • Pharming
  • Spearphishing may also be mitigated although further steps need to be taken

Deploying DNSSEC – Risk vs. Return

Deploying DNSSEC has tremendous value in providing a secure and trusted online experience, but it does have risks. It is complex, and this complexity leads to long implementation times as well as significant deployment and maintenance costs. If DNSSEC is implemented incorrectly, it can cause your organization’s domains to become unreachable.

The Solution

Secure64 DNS Signer is a secure, DNSSEC server that works with existing DNS infrastructure and automates all of the activities required to deploy DNSSEC. DNS Signer allows organizations to:

  • Implement in days, not months
  • Reduce deployment and maintenance costs
  • Retain the investment in existing DNS infrastructure
  • Eliminate errors that can cause the organization’s domain to become unreachable