Domain Name System Security Extensions (DNSSEC) is a security feature that makes sure you are connecting to a legitimate website and not a fake one while attempting to access a page through its domain name.
Here’s how it works. Every domain name has a digital signature which can tell if it is clean or is being used by hackers to victimize Web users. DNSSEC’s role is to prevent people from falling into the trap by first verifying the trustworthiness of the digital signature of the domain name that you enter in a browser. If it checks out, then you are assured of being on the right and safe location.
Read More about “DNSSEC”
How does DNSSEC Work?
Each Domain Name System (DNS) zone (i.e., a specific portion of the DNS space assigned to a manager or authority like the .com top-level domain [TLD] zone, which is managed by the Internet Assigned Numbers Authority [IANA]) contains a pair of public and private keys. In normal circumstances, a DNS resolver (i.e., that part of the system that receives queries) gets queries and instantly directs the requester to the IP address (which, in turn, corresponds to the page) a user wants to visit. With DNSSEC enabled, the resolver adds a step to the process—the zone’s owner asks for a digital signature (i.e., a form of authentication)—before it provides the page to the requester. This step makes DNS transactions more secure.
In the DNSSEC process, the zone’s owner owns the private key, which generates digital signatures. He/She is the only one who knows this key that corresponds to a digital signature kept in a Resource Record Digital Signature (RRSIG). The public key, which lies in the so-called DNSKEY record, can be retrieved by anyone. Both keys are required to access a DNSSEC-protected IP address.
Enabling DNSSEC makes sites more secure because of data encryption (i.e., the use of public and private keys). With it, websites get two additional features:
- Data integrity protection: This allows a resolver to make sure that the data transmitted does not get modified while in transit since a private key protects it. Only the private key’s keeper can make changes to the data.
- Data origin authentication: This assures users that the response to their request indeed came from the owner of the site they wish to visit because it contains the owner’s digital signature. It prevents requesters from ending up on hijacked or spoofed domains. It uses public key infrastructure (PKI) authentication, which requires a specific pair of public and private keys that point to an IP address.
How Can You Enable DNSSEC?
Unfortunately, enabling DNSSEC is not automatic. Also, not all registrars yet support this feature. The only way you can allow it is if your registrar offers DNSSEC protection.
ICANN (the Internet Corporation for Assigned Names and Numbers, a private organization tasked in managing and allocating the DNS) has a list of domain registrars that offer DNSSEC. You can check if your registrar is on that list. If it is, follow these steps:
- Sign in to your account.
- Select your domain name.
- Open the menu.
- Click DNS.
- Scroll to DNSSEC.
- Click Enable DNSSEC or Disable DNSSEC to change the domain’s setting.
Note that the instructions above are for Google Domains. Different registrars may require different steps to follow, check out your registrar’s specific DNSSEC pages for instructions. Also, it may take up to two hours to activate DNSSEC completely. When you turn it off, it may take up to two days before deactivation.