Up: DNS

What is DNSSEC?

Domain Name System Security Extensions (DNSSEC) is a method of adding security to DNS to protect against forged or manipulated DNS information.

Standard DNS information is not authenticated, name servers trust any response they receive. Since they trust any response, it is possible for somebody to send incorrect information to a name server. Once the name server has the incorrect information, anyone else who uses that name server will see the incorrect info. An attacker could use this to temporarily disable or redirect a domain.

DNSSEC adds security by letting name servers verify that DNS info is coming from the correct place. When DNSSEC is set up, DNS records are digitally signed. When checking records, name servers check for a signature and compare it to the correct signature. If there is no signature or if the signatures don’t match, the name server will not trust or save the incorrect information.

Failure to keep DNSSEC records up to date can cause problems with resolving DNS records. If you use Pair Domains DNSSEC, we keep the records up to date, so this should only be an issue if a domain uses DNSSEC on other name servers.

The registry for UK domains, Nominet, accepts no liability in relation to the use or operation of DNSSEC records. They will take reasonable steps to correct any error that is the result of a mistake on Nominet’s part, but they accept no liability for the error.

To learn how to use DNSSEC, please visit our Knowledge Base article Using DNSSEC.