What is DNSSEC

The original purpose of DNS Security Extensions (DNSSEC) was to protect Internet clients from counterfeit DNS data by verifying digital signatures embedded in the data. If the digital signatures in the data match those that are stored in the master DNS servers, then the data is allowed to continue to the client computer making the request.

DNSSEC uses a system of public keys and digital signatures to verify data. These public keys can also be used by security systems that encrypt data as it is sent through the Internet and then decrypt it when it is received by the intended recipient. However, DNSSEC cannot protect the privacy or confidentiality of data because it does not include encryption algorithms. It only carries the keys required to authenticate DNS data as genuine or genuinely not available.

DNSSEC adds two important features to the DNS

Data origin authentication

Allows a resolver to cryptographically verify that the data it received actually came from the zone where it believes the data originated.

Data integrity protection

Allows the resolver to know that the data hasn't been modified in transit since it was originally signed by the zone owner with the zone's private key.

Pros of Enabling DNSSEC

  • Added protection against MITM (Man in the Middle) attacks, DNS Spoofing, cache poisoning, etc
  • Increases trust for online activities such as e-commerce, etc

Cons of Enabling DNSSEC

  • Added complexity both on the client and server side
  • Limited support from ccTLD domain registries.
  • Additional possible costs in the event that you move from free DNS services to a managed DNS provider to reduce complexity. At this time DNSSEC can only be setup through a 3rd party managed DNS service that can generate the keys required. 

DNSSEC can be configured for many domains, according to their TLD extensions.