DNSSEC makes the internet more secure by protecting the information that passes through the domain name system from manipulation, ensuring users that they truly are visiting for example their internet bank and not a facsimile that was set up to steal passwords and account information.
Finding the right computer on the internet, for instance when you are surfing or sending e-mail to a certain web address, is done with the aid of queries in the domain name system (DNS). DNS is a distributed database that translates domain names to IP addresses, i.e. the unique number series that identify computers connected to the internet. You can compare it to how a telephone directory “translates” names to phone numbers.
When DNS was created in the 1980’s, the main thought behind it was minimising the need for central management of the network and making it easy to connect new computers to the internet. There was, however, not much emphasis on security. The lapses in this area have opened for various types of abuse and attacks where the answers to DNS queries are manipulated. In this manner internet users can be misled, for example in the purpose of tricking them to provide sensitive information such as passwords and credit card numbers.
Extensions secure against attacks
Even though security holes in the software tools used for DNS queries are fixed as quickly as possible, the fundamental problem lies in the design of DNS. That is why security extensions to DNS have been developed, named DNSSEC (short for DNS Security Extensions). With DNSSEC the domain name system is secured from manipulation by cryptographically signing the answers to DNS queries. This way it is possible to secure that the answers really come from the right source and have not been changed in transit.
The Swedish Internet Foundation an early adopter
The Swedish Internet Foundation signed the .se zone with DNSSEC in September 2005, as the first TLD in the world. DNSSEC for domain holders within the .se zone has been available since February 2007. This functionality is also available for the .nu zone.
Since the summer of 2010, DNSSEC is also implemented in the internet’s root zone, the apex of the domain name system. As more domains are secured, the internet as a whole is getting more secure and reliable. This process was accelerated greatly when ICANN, 2013, started the process of approving new Top Level Domains with the attached requirement that they be secured with DNSSEC.
DNSSEC for your domain
Today, DNSSEC is an addition offered by many registrars (i.e. resellers of domain names) for both .se and .nu. It is the only way to get a secure domain that cannot be subject to attacks where the answers to DNS queries are in risk of manipulation. Are you interested in securing your own web and e-mail address, please turn to your registrar for more information.
The service consists of The Swedish Internet Foundation giving the customers’ the possibility to publish their DS record (a hash of the customer’s public DNSSEC keys) in the .se zone and .nu zone respectively.
The Swedish Internet Foundation guarantees the accuracy of the keys within this zone in accordance to the DNSSEC Practice Statement for .se and .nu.