ajax loader
  • English (EU)
  • Svenska (Sverige)
  • Danish(DK)
excedoNewsRoomLogo
dnssec_btn_small
ipv6_btn_small
thecase_btn_small
healthcheck_btn_small
signup_btn_small

DNSSEC - The path to a secure domain

Finding the right computer on the Internet, for instance when you are surfing or sending email to a certain web address, is done with the aid of queries in the domain name system (DNS). DNS is a gigantic database that translates domain names to IP addresses, i.e. the unique number series that identify computers connected to the Internet. You can compare it to how a telephone directory “translates” names to phone numbers.

Security lapses with regular DNS

When DNS was created in the 1980’s, the main thought behind it was to minimize the need of administration and central management of the network as well as making it easy to connect new computers to the Internet. There was, however, not much emphasis put on security aspects. The lapses in the security area have opened for various types of abuse and attacks where the answers to DNS queries can be falsified. Internet users can therefore be misled, for example in the purpose of tricking them to provide sensitive information such as passwords and credit card numbers.

DNSSEC protects your domain names

Even if attempts are put in to eliminate security holes as much as possible in the software tools used for DNS queries, the fundamental problem lies in the functioning of DNS. The security lack in DNS is the reason for why a security extension to DNS has been developed. The name for it is DNSSEC (short for DNS Security Extensions). With DNSSEC the domain name system is secured from abuse by cryptographically signing answers to DNS queries. This way it is possible to secure that the answers really come from the right source and have not been changed during transit.

Test your DNS Server and DNSSEC with Excedo DNS Check:

.SE an early adopter - other TLDs are following

When .SE launched a complete DNSSEC service in February 2007, it was a global first. Since then the snowball has started rolling and an increasing number of top-level domains are now implementing the technology. Since the summer of 2010, DNSSEC is also implemented in the Internet’s so called root zone, the most fundamental part of the domain name system. As more domains are secured, the Internet as a whole is getting more secure and reliable.

How does DNSSEC signing of a zone work?

If following DNSSEC Operational Practices, 2 key types are defined; "Key Signing Key" (KSK) and "Zone Signing Key" (ZSK). A zone should be signed with both a KSK and a ZSK.

Easily described the differences between KSK and ZSK are as follows:

  • KSKs only sign the public key records for a zone, and create a link between the child (name server) and parent (top-level domain).
  • ZSKs sign all the record sets in a zone at the name server.

In both cases new keys must be generated and replaced continuously. However the key replacement for KSK also requires it to be exchanged and updated at the parent zone (top-level-domain), while ZSK key replacement is managed only on the child name server. Therefore the frequency for key replacements for KSK and ZSK differ, and ZSK usually have shorter validity period (like 1 month).

Generation and replacement of KSK and ZSK can either be managed manually or automatically depending on what is supported in the DNS-platform that is used. If DNSSEC is activated for a domain and the management of key generations and replacements is not done properly – it will cause interruptions and affect the availability – and therefore this has to be considered when selecting DNS-platform.

DNSSEC for your domain - with Excedo DNS

Excedo DNS powered by DYNECT offer DNSSEC as a standard within our service offering without any extra costs involved. It is the only way to secure your domain from attacks where answers to DNS queries are falsified.

In the Excedo DNS platform, automation of generation of ZSK and KSK, and replacement of ZSK is included. This means that no manual management is required, and risks related to improper manual management are eliminated.

Excedo also offers the possibility to manage replacement of KSK through our Excedo Domain Management Service. Adding this service would mean that NO management by our customers is required when it comes to DNSSEC administration.

Are you interested in securing your own web and email address? If you are insecure whether your domain has DNSSEC activated and if it is working properly, you can easily control it by testing it in our tool, Excedo DNS - DNS Check or contact Excedo DNS.

[ top ]