Domain Name System Security Extensions

What is Domain Name System Security Extensions?

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

The need to design a backward-compatible standard that can scale to the size of the Internet.

Prevention of "zone enumeration" (see below) where desired.

Deployment of DNSSEC implementations across a wide variety of DNS servers and resolvers (clients).

Disagreement among implementers over who should own the top-level domain root keys.

Overcoming the perceived complexity of DNSSEC and DNSSEC deployment.


Operation:

DNSSEC works by digitally signing records for DNS lookup using public-key cryptography. The correct DNSKEY record is authenticated via a chain of trust, starting with a set of verified public keys for the DNS root zone which is the trusted third party. Domain owners generate their own keys, and upload them using their DNS control panel at their domain-name registrar, which in turn pushes the keys via secDNS to the zone operator (e.g., Verisign for .com) who signs and publishes them in DNS