« Back

What Is DNSSEC?

Domain

About The DNS

To understand DNSSEC (Domain Name System Security Extension), you need to understand how the DNS (Domain Name System) itself works.

DNS translates the domain name of a website into a numerical code that can be read and processed efficiently by computers. (For example: 104.16.99.56) This is the IP address of the website. Every IP address is associated with a domain name, which is why DNS is often referred to as the Internet’s phone book. This data is stored on domain name servers, where a domain name is translated into an IP address and vice versa.

When DNS was first introduced, not everything went smoothly and its weaknesses quickly became apparent. This is where DNSSEC comes in: to fix the bugs, developers started working on a security system that could be added to DNS systems as an extension.

How Does DNSSEC Work?

The main function of DNSSEC is to ensure the integrity and authenticity of the data in the DNS. It protects Internet clients from forged DNS data by scanning and validating a digital “signature” embedded in the DNS.

In this way, DNSSEC ensures that the user is actually interacting with the page they have requested.

DNSSEC uses a public key system to verify the data by attaching additional records to the existing DNS records. These new records are responsible for creating the domain’s digital signature.

The signed name server now has a public key and a private key. When someone wants to register, it sends the necessary information using a private key, which the recipient resolves using a public key. If third party data arrives that doesn’t match the public key, the recipient won’t resolve it.

Keys Used By DNSSEC

The keys in DNSKEY are used for two purposes:

  • Key Signing Key (KSK): it signs the zone signing keys
  • Zone Signing Key (ZSK): it signs the records

Overview of The DS (Delegation Signer) Record

The DS record contains a unique fingerprint of the public key and metadata about the key (e.g., the algorithms it uses).
An example:
something.com 4200 IN 2472 13 2 16e637262zt822dafs828737sjjd2671jsym6172…

Now let’s break down the DS record into its component parts and see what each component contains!

  • something.com – the domain name
  • 4200 – TTL: Time To Live, the lifetime of the record
  • IN – refers to the Internet
  • 2472 – Key Tag, identifies the key
  • 13 – algorithm type
  • 2 – extract type
  • The long code at the end is an extract of the public key

Ready to register your domain?

At Rackhost, you can do all of this quickly and easily.

LEARN MORE

Related posts