DNSSEC (Domain Name System Security Extensions) is a set of protocols that adds cryptographic security to the Domain Name System (DNS) by digitally signing DNS data, preventing attackers from forging or tampering with records, ensuring users are directed to the correct websites, and protecting against threats like DNS spoofing and cache poisoning. It works by adding digital signatures to DNS records, which resolvers can verify to confirm the authenticity and integrity of the data, stopping malicious actors from redirecting traffic to fake sites.
How it works
Digital Signatures: DNSSEC uses public key cryptography to sign DNS records (like A, AAAA, MX) on the authoritative name server.
New Record Types: It introduces new DNS record types (RRSIG, DNSKEY, DS, NSEC/NSEC3) to store these signatures and keys.
Verification: When a user requests a website, the DNS resolver checks the digital signature against the public key to ensure the data hasn't been altered and came from the legitimate source.
Why it's important
Prevents Spoofing: Stops attackers from poisoning DNS caches with fake records, a common method for redirecting users to malicious sites.
Ensures Authenticity: Guarantees that the IP address you receive for a domain is the correct one published by the owner, not an imposter's.
Adds Integrity: Verifies that the DNS data hasn't been tampered with during transit.
- https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
- https://support.dnsimple.com/articles/what-is-dnssec
- https://www.cloudflare.com/en-ca/learning/dns/dnssec/how-dnssec-works