Up: DNS

What is DNSSEC?

Domain Name System Security Extensions (DNSSEC) is a method of adding security to DNS to protect against forged or manipulated DNS information.

Standard DNS information is not authenticated, name servers trust any response they receive. Since they trust any response, it is possible for somebody to send incorrect information to a name server. Once the name server has the incorrect information, anyone else who uses that name server will see the incorrect info. An attacker could use this to temporarily disable or redirect a domain.

DNSSEC adds security by letting name servers verify that DNS info is coming from the correct place. When DNSSEC is set up, DNS records are digitally signed. When checking records, name servers check for a signature and compare it to the correct signature. If there is no signature or if the signatures don’t match, the name server will not trust or save the incorrect information.

To learn how to use DNSSEC, please visit our Knowledge Base article Using DNSSEC.