Go to Content

We are the flag of Portugal on the internet

Register DomainReserved Area

Blog

Ricardo Pires
.PT Cybersecurity Manager
26-10-2020
What is DNSSEC and why is it so important?
Is the DNS secure?

In the initial specification of the DNS, designed in the 1980s, when the Internet did not have the dimension we know today, no security concerns were incorporated. On the contrary, its design gives priority to aspects of effectiveness, efficiency and scalability. For this reason, the specification has some security vulnerabilities that have been exploited maliciously to induce errors in DNS resolution.

To fill these gaps, the DNS has evolved over time, introducing new layers of security, such as DNSSEC.

What is DNSSEC?

DNSSEC (Domain Name System Security Extensions) is the name given to security extensions to the DNS (Domain Name System) protocol and was designed to protect and authenticate DNS traffic. These extensions make use of asymmetric encryption technology to ensure the authenticity and integrity of the information exchanged between DNS servers and between these and the user's applications. The security mechanisms provided for in DNSSEC are complementary and transparent to the user, not interfering with the normal functioning of the DNS protocol.

What is its importance?

DNSSEC extensions aim to improve users' confidence in services provided online, through a more secure domain name resolution system, reducing the risk of data and information manipulation and contributing, in particular, to:

• Eliminate fragilities in the DNS protocol;
• Prevent man-in-the middle and cache poisoning attacks;
• Reduce the risk of manipulating information;
• Reinforce the reliability of the system.

With the growth in the adoption of DNSSEC, the DNS can also become a secure base for other protocols that require data protection, it is in this sense that new protocols on DNS have been developed to guarantee more security to the user, for example, DANE (DNS-based Authentication of Named Entities), DKIM (DomainKeysIdentifiedMail) or DMARC (Domain-based Message Authentication, Reporting & Conformance). 

To find out if your website and email service is in compliance with the latest standards for secure communication between systems, you can verify your domain at www.webcheck.pt.

10 reasons to sign a domain with DNSSEC

• The main open recursive servers perform DNSSEC resolution;
• There are already several DNS service providers with an option to enable DNSSEC;
• There are ISPs that perform DNSSEC validation;
• Available tools for DNSSEC development; 
• It generates security and trust in your customers;
• Protects the end user; 
• Preference, in the community, for the adoption of infrastructures in a secure model;
• Good security practice, with security being a differentiating factor;
• The adoption of DNSSEC allows the implementation of new protocols;
• DNSSEC is the natural evolution of DNS contributing to a safer Internet.

Contact us for questions related to DNS Security extensions (DNSSEC) at: https://www.pt.pt/en/security/dnssec/ 



Please note: the articles on this blog may not convey the opinion of .PT, but of its author.
Back to Posts