Back to Page 1: What the Heck is DNSSEC?

DNSSEC works by signing domains (including root and top level) and zones using public/private key cryptography, thereby creating a chain of trust. Note that to be backwards compatible with non-DNSSEC enabled servers and clients, queries are completed using standard DNS when DNSSEC is not available. In other words, when DNSSEC is not available throughout the entire chain - from requestor client to resolver/caching nameserver to authoritative nameservers - the system reverts to regular DNS. However, if DNSSEC is available throughout the chain, the client has a level of assurance that the DNS query response is signed and trustworthy starting from the root and chaining all the way down to the domain and subdomains. The following illustration provides a high-level overview of DNSSEC in action:

Image Source © Diana Kelley and Char Sample, 2010-2011


DNSSEC is one way to improve the overall security of DNS. But before you going running off and planning for full implementation of DNSSEC at your organization, note that there are some criticisms and caveats. Because DNSSEC was designed to respond with complete, signed, authoritative information about a domain or sub-domain, it does not work well with traditional split (or split-horizon) DNS architectures. In split DNS architecture, some machine information is available to all requestors while other information, such as servers with highly sensitive data that should be accessible only from the trusted internal network and not from the Internet, is kept private. Since DNSSEC makes previously private information public, it opens zones up to enumeration/walking exposures which allows attackers to use DNSSEC information to determine a definitive list and map of hosts in a zone. To mitigate this issue, the extension DNSSEC Hashed Authenticated Denial of Existence (a.k.a. NSEC3) was introduced in 2008, but is not yet in wide use.

As noted earlier, if DNSSEC is not used and supported throughout the entire chain, the system reverts to standard DNS. So an organization that spends time and money to support DNSSEC on their own clients and servers may still be getting mostly standard DNS responses for sites and hosts outside of their organization. Since DNS trust starts at the top, a positive step forward in the US occurred on July 15, 2010, when the signed root zone became publicly available. But DNSSEC is still a ways from being a no-brainer deployment option. While full deployment would increase the reliability and robustness of the DNS infrastructure – without widespread adoption utility will be limited.

Diana Kelley is a partner at IT research and consultancy firm SecurityCurve and a frequent contributor to

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.