The Domain Name System Security Extensions, also known as DNS Security Extensions or, more commonly called DNSSEC for ease, is a set of protocols that add a layer of security to the DNS records lookup and exchange processes.
Before diving deeper, one must know the functionality of the DNS.
Domain Name System (DNS) is the largest virtual database on the internet that facilitates a translation of the domain name into its corresponding IP address. This system has become integral in accessing the website on the internet.
On the internet, IP addresses identify Computer systems and digital devices. It's quite difficult for humans to remember the long and complicated IP address (numeric address) as humans easily understand and memorize simple alphanumeric phrases (domain name).
So, if you want to access a specific machine on the internet, you must know its correct IP address. Here, DNS plays an important role. Consider DNS as the "phone book of the internet" containing the information about domain names and the IP addresses associated with them: it tells computers where to send and retrieve data.
In 1983 DNS was created, and after the Internet Engineering Task Force (IETF)'s creation, in 1986, it became one of the original Internet Standards. Security was not a primary consideration during its design. Several security vulnerabilities were discovered soon after its implementation. Before you connect to the website, your browser has to retrieve the website's IP address by using the DNS. There are chances that the attacker could intercept your DNS queries and inject incorrect/invalid DNS information, which in turn would cause your browser to connect to an inaccurate or malicious website. You may provide your information, like your username and password (maybe you are trying to access your bank's website), resulting in secure information and data leaks.
As a result, a security system was created in the form of an extension to add it to the existing DNS protocols. This security system (DNSSEC) was later approved and modified by the Internet Engineering Task Force (IETF).
After several tests and deployments, in 2010, DNSSEC was officially implemented on the root level, on the top-level domain addresses (TLDs) like .org. In late 2010, 2011, this system was implemented on the .com, .net, and .edu top-level domain addresses (TLDs). The implementation continues to even country-specific top-level domain addresses (ccTLDs). Sweden (.SE) enables DNSSEC in their zone, making ".SE" the first country-specific top-level domain address (ccTLD) to deploy DNSSEC.
DNSSEC aims to strengthen users' trust on the internet, protect and prevent them from landing on or redirecting to fraudulent websites and unintended addresses by verifying the digital signature embedded in the DNS data response, and protecting the user from counterfeit DNS data.
When the user enters the domain name in the browser, the resolver verifies the digital signature. If the digital signature matches the data stored in the master DNS servers, then the data is relayed to the client computer to make the request.
DNSSEC uses the public keys and digital signature to verify the data. You have to add the new records in your DNS, along with the existing records. These new record types are:
These records use the public-key cryptography method to "sign" the domain digitally.
The DNSSEC also holds the two main types of keys.
DNSKEY record of the zone consists of Both of these keys.
So here's how the DNSSEC system works.
However, the DNS records lookup and DNSSEC validation process vary depending upon the server types used to make or send the DNS query. Recursive name servers (often operated by the ISPs) use a different way for DNSSEC validation than servers running Microsoft Windows.
The DS record stands for Delegation Signer, and it consists of the unique string of your public key and its related metadata. The DS record consists of four fields.
For example, the DS record looks like this.
example.com. 21599 IN DS 31589 8 2 CDE0D742D6998AA554A92D890F8184C698CFAC8A26FA59875A990C03E576343C
Note: DS records must comply with RFC 4034.
Note: DNSSEC is not only limited to the web and any other service or protocol on the internet, like the DNSSEC with email (SMTP), and instant messaging, etc., can use DNSSEC.
Whether you want the DNSSEC for your domain, it's totally up to you. However, it is preferable to have the DNSSEC because it provides an additional layer of DNS security. It helps to prevent malicious activities, such as cache poisoning/DNS spoofing.
But keep in mind that all TLDs do not support DNSSEC. If the TLD allows it, it's better to activate the DNSSEC for better security measures.