DNSSEC FAQ

What is DNSSEC?

Domain Name System Security Extensions (DNSSEC) add digital signatures to a domain name's DNS (Domain Name System) to determine the authenticity of the source domain name.

DNSSEC is a set of extensions to DNS that provides:

  • Origin authentication of DNS data
  • Data integrity
  • Authenticated denial of existence

DNSSEC addresses an identified security risk and helps prevent malicious activities like cache poisoning, pharming, and man-in-the-middle attacks. It uses a digital signature to create a chain of authority. Then, it uses the chain to verify that the source domain name, which the DNS resolver returns, matches the DNS record stored at the authoritative DNS. If it cannot validate the source, it discards the response.

We currently offer two types of DNSSEC: self-managed and fully managed. The criteria differ depending on which type you want to use.

To Use Self-Managed DNSSEC Services:

  • Your domain name must be registered through us.
  • The domain name's registry must be DNSSEC-aware, and we must support it for the domain name's extension:
    • .com
    • .net
    • .biz
    • .us
    • .org
    • .eu
    • .se
    • .at
    • .co.uk, .me.uk, and .org.uk
    • .co, .com.co, .net.co, and .nom.co
  • The domain name must use custom nameservers. That is, it is not hosted, parked, or forwarding with us.
  • The domain name must be in active status, not flagged by the registry, and have valid Whois data.

To Use Fully Managed DNSSEC Services:

  • You must have a Premium DNS account. For more information, see Upgrade to Premium DNS.
  • The domain name's registry must be DNSSEC-aware, and we must support it for the domain name's extension:
    • .com
    • .net
    • .biz
    • .us
    • .org
    • .eu
    • .se
    • .at
    • .co.uk, .me.uk, and .org.uk
    • .co, .com.co, .net.co, and .nom.co
  • The domain name must use our nameservers.

How does DNSSEC work?

DNSSEC adds a digital signature to each piece of a domain name's DNS information. When a visitor enters the domain name's URL in a browser, the resolver (the conversion from the people-friendly domain name URL to the numeric address used by the Internet) verifies the digital signature. The digital signature must match the value on file at the registry, or the resolver discards the response.

Here's another way to look at it: Site A has information that Visitor B wants. The messenger, i.e., the resolver, receives the information from Site A but delivers it to Visitor B only if Site A can identify itself properly. To authenticate Site A, the messenger matches Site A's fingerprints against fingerprints on file for it at the registry.

DNSSEC's digital signature ensures that you're communicating with the site or Internet location you intended to visit.

Why does my website no longer resolve after I enabled DNSSEC?

Remember that the digital signature you store in a DS (Delegation of Signing) record through the Domain Manager must match the digital signature that your domain name's nameservers produce. If it does not, by DNSSEC (Domain Name System Security Exentions) rules, the domain name cannot resolve to your website. Carefully review the DS record information you entered against the zone record stored on the nameserver and make sure they match.

see Manage DNSSEC for my domain for more information on viewing and updating your DS information.

How do I enable DNSSEC and sign my zone?

To enable DNSSEC you must digitally create private and public keys and generate a Declaration of Signing record during the domain name signing process.

There are a number of resources on the Internet for those familiar with DNS. Refer to your nameserver documentation for more details.

Prerequisites for the Zone Signing Process:

  1. Set your domain name to use DNSSEC-aware nameservers. If you are hosting your own nameservers, you must enable DNSSEC on them.
  2. Determine the algorithm you want to use to sign your zone file. The domain name's registry specifies the algorithms they support. The following algorithms are in use for DNSSEC:
    • 0 — Reserved
    • 1 — RSA/MD5 [RSAMD6]
    • 2 — Diffie-Hellman [DH]
    • 3 — DSA/SHA-1 [DSA]
    • 4 — Elliptic Curve [ECC]
    • 5 — RSA/SHA-1 [RSASHA1]
    • 252 — Indirect [INDIRECT]
    • 253 — Private [PRIVATEDNS]
    • 254 — Private [PRIVATEOID]
    • 255 — Reserved

The General Zone Signing Process

Specifics for this process are determined by your DNSSEC-aware nameservers and the domain name's registry.

  1. Generate a zone signing key.
  2. Generate a key signing key.
  3. Sign the zone and generate signed zone records.
  4. Generate the declaration of signing (DS) record. Use the information in this record to enable DNSSEC for your domain name registered with us.

see Manage DNSSEC for my domain for information on enabling and managing DNSSEC for your domain name through the Domain Manager.

How do I know if the URL I've requested is DNSSEC-aware?

Browsers are not currently set up to identify DNSSEC. They don't give you visual feedback for DNSSEC-secured sites like they do when a site is secured by an SSL — that is, the padlock icon.

If there's a verification problem with a DNSSEC-aware URL, however, you receive a message indicating that the site does not exist — a 404 Not Found error.

How does DNSSEC protect Internet users?

DNSSEC (Domain Name System Security Extensions) is designed to protect Internet users from forged DNS data, such as a misleading or malicious address instead of the legitimate address that was requested. Here's the difference between DNSSEC-aware and non-aware lookups.

Non-DNSSEC-Aware Lookups

With these DNS lookups, your URL request goes to the Internet and accepts the first response it receives. If a malicious Internet player intercepts the request and sends back an incorrect response, the response you receive takes you to an unintended Internet site where your personal information can be compromised.

Now imagine if that malicious address information is stored by Internet resolvers, ISPs for example, and then used by thousands of individual requests. Without DNSSEC, it's possible for an Internet resolver like an ISP to receive this malicious information and store it in their cache. Anyone using the ISP's cache gets the malicious address information until the cache is refreshed.

DNSSEC-Aware Lookups

These DNS lookups go first to the domain name's registry and get a copy of the digital signature being used by the URL. The address response must also include a matching digital signature. If it doesn't, your browser can't display the site. This way, you can't be redirected to a bogus location that you didn't request.

Since DNSSEC makes the Internet more secure, why doesn't everyone use it?

Implementing DNSSEC across the Internet is a bit like world peace: Everyone realizes that it's a great idea, but implementation requires effort, consensus, and expenses (often significant) world-wide.

The Internet-wide implementation is moving steadily forward, one domain name extension and its registry at a time. As each extension becomes DNSSEC-aware, we'll be there to support the effort for domain names registered through us.

What types of websites should enable DNSSEC for their domain name?

While every domain name can benefit from the security of DNSSEC (Domain Name System Security Extensions), sites that accept personal, financial, or medical information plus any sites at high risk for malicious activity should consider enabling DNSSEC.