DNSSEC has two main functions: signing and authenticating. These two processes ensure that DNSSEC is highly secure. Both are essential to its functionality, but they are distinct operations.
Signing
The domain is signed by the name server operators, which authenticate it to the domain. These name servers are maintained either by the DNS provider with whom the domain is registered (who also provides basic DNS services) or the web hosting provider offering both DNS services and an authenticated DNS server.
In essence, the DNSSEC signature process is as follows:
- The owner of the domain name enables DNSSEC on the domain page used by the DNS.
- A DNS server that provides the DNS record signs this page using DNSSEC keys.
As part of the process, a Delegation Signer (DS) record is created for the TLD, ensuring “full trust” (a set of queries authenticated by the domain name’s digital signature, which monitors requests across all query nodes). This ensures that no third party can intercept the communication and prevents the query from being redirected to a malicious website.
- The domain registrar must provide this DS record during domain creation.
- The registrar then forwards the DN record to the TLD operators. (In this case, the TLD must be DNSSEC-compatible.)
Authenticating
The validation process is carried out by DNS resolvers that authenticate the DNSSEC. This authentication can be performed by a DNS resolver running anywhere on the network, including browsers, messaging services, and mail servers. A DNS resolver may be built into the operating system of your personal computer or provided by your Internet provider or other public DNS service providers, such as Google’s public DNS.
During the authentication process, the DNSSEC signature of the domain is cryptographically validated.
As part of the process, the DNS resolver ensures that “full trust” is established from the root DNS server to the domain to make sure that the data being used has not been modified. Ideally, this authentication occurs as close to the end user as possible.