DNSSEC
Domain Name System Security Extensions –
More trust for your .de domain
DNSSEC protects DNS responses from manipulation. This ensures that people can safely access the right websites and services –
from email servers to company apps.
The Domain Name System (DNS) is the foundation of the internet: it translates easy-to-remember domain names such as example.com into the corresponding IP addresses. This enables your computer to find the right website or server.
However, the classic DNS is not protected against manipulation. Attackers can change data in transit without anyone noticing. This is where DNSSEC (Domain Name System Security Extensions) comes in: it ensures that DNS data remains unaltered and authentic.
Why DNSSEC is important
Imagine you are accessing your bank's online banking service. Without protection, criminals could manipulate the DNS response so that your computer receives a fake IP address for your bank's actual domain and you end up on a fake page without noticing. This risk is called cache poisoning. DNSSEC prevents fake addresses from being substituted. You can be sure that the name of your bank's domain actually leads to the real bank.
Important: DNSSEC only guarantees that the data arrives unchanged. It does not check whether the stored data is actually correct or reliable.
How DNSSEC works
Digital signatures
DNSSEC works with digital signatures. Each DNS response is provided with a cryptographic signature. This allows the following to be verified:
- whether the data originates from an authorized source
- whether the data has been altered en route
A key pair is used for this purpose:
- The private key remains secret with the operator.
- The public key is published in the DNS. It can be used to verify signatures.
Chain of Trust
To avoid having to trust each individual zone separately, there is a chain of trust that starts at the root of the DNS and extends through subdomains to individual domains. This means that it is sufficient to trust the top-level key.
Evaluate DNSSEC keys and signatures
A validating resolver is required to evaluate DNSSEC keys and signatures. It can run on the Internet user's system (PC, laptop, etc.) or be provided by the Internet service provider or specialized service providers.
DNSSEC for .de domains
How you benefit as a domain owner and internet user
For Internet users
- Automatic check: Signature verification by a validating resolver and reliable protection against manipulated DNS responses.
- Well protected: Protection against manipulation in the DNS and assurance that you will reach the domain you entered.
- Source verification: The signature used can be used to verify that the data was actually sent from an authorized source.
For Domain holders
- Ensure trust: With DNSSEC, you can create additional trust for your website and online offerings and strengthen your brand.
- Setup: Contact your provider and request additional protection for your domain through DNSSEC signing.
- Changing providers: A standardised procedure – the operator change – ensures a smooth transition of key management.
Development of DNSSEC
DNSSEC is a standardized protocol extension that the Internet Engineering Task Force (IETF) has been working on for over ten years. The fundamentals were published in 2005 in RFCs 4033, 4034, and 4035.
With the support of DENIC, solutions were developed for so-called zone walking, whereby DNSSEC entries made all domains in a zone visible:
- NSEC3 (RFC 5155), the obfuscation of entries so that zone walking remains ineffective.
- Dynamic NSEC records (RFC 4470/4471), which are technically possible but hardly ever used.
