DNSSEC has been designed to protect Internet resolvers (users) from forged DNS data.
All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS
resolver is able to check if the information is identical (correct and complete) to the
information on the authoritative DNS server. While protecting IP addresses is the
immediate concern for many users, DNSSEC can protect other information such as
general-purpose cryptographic certificates, including those for email, making it
possible to use DNSSEC as a worldwide public key infrastructure for email.
DNSSEC does not protect the security of data in that all DNSSEC responses are
authenticated but not encrypted. DNSSEC does not protect against Denial of Service
attacks directly, though it indirectly provides some benefit; However, the demands
DNSSEC places on Internet infrastructure could make DNSSEC a tool for DoS attacks.
DNSSEC cannot protect against false assumptions; it can only authenticate that the
data is truly from or not available from the domain owner. A false validation will
prevent data from being passed to a remote server, thus protecting the
sender's data from being seen by unintended recipients.
How it works
DNSSEC works by digitally signing answers to DNS lookups using public-key cryptography.
To do this, several new DNS record types were created, including the RRSIG, DNSKEY, DS,
and NSEC records. These are all supported by the Security-DNS zone signing
service. When DNSSEC is used, each answer to a DNS lookup will contain an RRSIG DNS
record, in addition to the record types requested. The RRSIG record is a
digital signature of the answer DNS resource record set. The digital signature can be
verified by locating the correct public key found in a DNSKEY record.
From the results, a security-aware DNS resolver can then determine if the answer it
received was correct (the term given is "secure"), whether the authoritative name
server for the domain being queried doesn't support DNSSEC (false or "insecure"), or
if there is some sort of error. The correct DNSKEY record is found via an Authentication
Chain, starting with a known good public key for a Trust Anchor. This public key can then
be used to verify a Delegation Signer (DS) record. A DS record in a parent domain (DNS zone)
can then be used to verify a DNSKEY record in a subdomain, which can then contain other DS
records to verify further subdomains.
Is a free service provided by CommunityDNS (http://www.CDNS.net) to promote the use of
DNSSEC on the Internet by those entities that could benefit from DNS validation.
Technically DNSSEC is quite demanding and the Security-DNS Zone Signing tool is designed
to make the creation and acceptance of DNSSEC zones much easier.
The look-up search bar on the www.Security-DNS.net homepage provides the public with a
methodology of visually checking the existence of DNSSEC zone data.