FAQs categories: DNSSEC

The domain owner and the client looking up DNS information about the domain can benefit from the cryptographic guarantees that DNSSEC delivers. Domain owners can be assured that their DNS data is not being manipulated through any means. Domain owners’ customers can be certain that they are receiving the correct DNS data for the domain they are looking up.

The DNS Internet protocol was originally designed with virtually no security in its specifications. This protocol was fit for purpose during the earlier days of the Internet in the 1980s and early 1990s. As time progressed, DNS began to experience several distinct classes of vulnerabilities and threats, which may be exploited in an insidious manner. The threats include, but are not limited to, packet interception, query identity prediction, cache poisoning and betrayal by a trusted server.

DNSSEC provides data origin authentication and data integrity verification to the DNS through the use of public key cryptographic signatures. Public key cryptography uses asymmetric key algorithms of mathematically related key pairs in the form of a secure private key and a published public key. The combination of the key pair enables the verification of the authenticity of a DNS message through the creation of a digital signature of the DNS data using the secure private key. This signature can in turn be verified by a recipient security aware resolver using the already published public key from the pair.

The domain name system (DNS) is used at the beginning of almost every instance of network communication. While the operators of the DNS fulfill many different functions, the core function of the DNS is to provide a directory service. When one enters an address or URL in a browser such as www.gov.ie, the DNS lets the computer know where the information is by referring to the relevant IP address. The DNS has a hierarchical structure in which the apex is known as the root domain or dot (“.”). The Root Zone holds the delegation pointers to Internet protocol numbers for the top-level domains such as .ie, .uk, .fr, .com & .org etc. These top level domains hold the delegation pointers for the second level domain names such as boi.ie, gov.ie or adidas.com.