What is DNSSEC (DNS security extensions)?
Explore our DNS solutions Subscribe for AI updates
Illustration with collage of pictograms of gear, robotic arm, mobile phone

Published: 8 March 2024
Contributors: Tasmiha Khan, Michael Goodwin

What is DNSSEC (DNS security extensions)?

DNSSEC is a feature of the Domain Name System (DNS) that uses cryptographic authentication to verify that the DNS records returned in a DNS query come from an authoritative name server and are not altered en route.

In simple terms, DNSSEC helps ensure that users are directed to the actual website they are searching for, and not a fake one. While it doesn't keep searches private (transport layer security, or TLS, is a security protocol designed to ensure privacy on the internet) it does help prevent malicious entities from inserting manipulated DNS responses into DNS requests.

DNSSEC (short for Domain Name System security extensions) is used to extend DNS protocol and address vulnerabilities in the DNS that leave the system susceptible to various cyberattacks, such as DNS spoofing, DNS cache poisoning, man-in-the-middle attacks, and other unauthorized modifications to DNS data. DNSSEC deployment helps to fortify the DNS against these potential risks, providing a more secure and reliable infrastructure for the internet. When a DNS resolver queries for information, DNS lookup responses are validated through the verification of digital signatures, confirming the authenticity and integrity of the received data.

As cybersecurity threats continue to evolve, the demand for robust security measures, including DNSSEC, is likely to grow. Organizations like the Internet Corporation for Assigned Names and Numbers (ICANN) actively promote its global adoption, reflecting a growing recognition of its crucial role in DNS security. 

Guide to AI and IT Automation

The Enterprise Guide to AI and IT Automation offers an in-depth look at AI-powered IT automation, including why and how to use it, the issues blocking your efforts and how to get started.

Related content

Subscribe to the IBM newsletter

Related DNS record types and terms

To help secure the DNS, DNS security extensions add cryptographic signatures to existing DNS records. These signatures are stored in DNS name servers with other DNS record types, such as A records (which create a direct connection between an IPv4 address and a domain name), AAAA records (which connect domain names to IPv6 addresses), MX records (which direct emails to a domain mail server), and CNAME records (which map aliases to their true, or “canonical,” domain names).

Other related records and terms helpful to understanding how DNSSEC functions include:

DS records (delegation signer records)

DS records are used to establish a secure chain of trust between a parent zone and a child zone. They contain the cryptographic hash of a DNSKEY record.

DNSKEY records

DNSKEY records (also known as DNSSEC keys) store public keys that are associated with a particular DNS zone. These keys are used for verifying digital signatures and ensuring the authenticity and integrity of DNS data within that zone.

RRSIG records (resource record signature records)

RRSIG records contain a cryptographic signature that is associated with a set of DNS resource records.

RRset (resource record set)

This is a collection of all resource records of a specific type associated with a particular name in the DNS. For example, if you have two IP addresses that are associated with "example.com," the A records for these addresses would be bundled together to form an RRset.

NSEC records (next secure records)

This is a record that lists the record types that exist for a domain and is used to indicate the authenticated denial of existence of a specific domain name. It works by returning the “next secure” record. For example, if a recursive resolver queries a name server for a record that doesn’t exist, the name server returns another record—the “next secure record” defined on the server—indicating that the requested record does not exist.

NSEC3 (next secure version 3)

This is an enhancement to NSEC. It improves security by making it more challenging for attackers to predict or guess the names of existing domains in a zone. It works in a similar way to NSEC but uses cryptographically hashed record names to avoid listing out the names in a particular zone.

Zone-signing key (ZSK)

Zone-signing key pairs (a public key and a private key) are authentication keys that are used to sign and verify an RRset. In DNSSEC, each zone has a ZSK pair. The private key is used to create digital signatures for the RRset. These signatures are stored as RRSIG records in the name server. The associated public key, stored in a DNSKEY record, verifies the signatures, confirming the authenticity of the RRset. However, additional measures are needed to validate the public ZSK. For this, a key-signing key is used.

Key-signing key (KSK)

A key-signing key is another public/private key pair and is used to verify that the public zone signing key is not compromised. 

How DNSSEC Works

DNS security extensions provide a cryptographically-secured framework that is designed to enhance the security and trustworthiness of the DNS. At its core, DNSSEC employs a system of public and private key pairs. To enable DNSSEC validation, a zone administrator generates digital signatures (stored as RRSIG records) using the private zone-signing key, and a corresponding public key that is distributed as a DNSKEY record. A key-signing key is used to sign and authenticate the ZSK, providing an additional layer of security.

DNS resolvers, when queried, retrieve the requested RRset and the associated RRSIG record, which contains the private zone-signing key. The resolver then requests the DNSKEY record that holds the public ZSK key. These three assets together validate the response the resolver receives. However, the authenticity of the public ZSK still needs to be verified. This is where the key-signing keys come in.

The key-signing key is used to sign the public ZSK and create an RRSIG for the DNSKEY. The name server publishes a public KSK in a DNSKEY record, as it did for the public ZSK. This creates an RRset containing both DNSKEY records. These are signed by the private KSK, and validated by the public KSK. This authentication validates the public ZSK—the purpose of the KSK—and verifies the authenticity of the requested RRset.

DNS chain of trust

DNSSEC operates on the principle of establishing a "chain of trust" throughout the DNS hierarchy, and the signing of DNS data at each level to create a verifiable path that ensures the integrity and authenticity of the data. Each link in the chain is secured with digital signatures, creating a trust anchor that starts at the root zone servers and extends down through the top-level domain (TLD) servers to the authoritative DNS servers for individual domains.

Delegation signer (DS) records are used to enable the transfer of trust from a parent to a child zone. When a resolver is referred to a child zone, the parent zone provides a DS record that contains a hash of the parent zone DNSKEY record. This is compared against the hashed public KSK from the child zone. A match indicates the authenticity of the public KSK and lets the resolver know that the records in the subdomain (child zone) can be trusted. This process works from zone to zone, establishing a chain of trust.

DNSSEC vs. DNS security

DNSSEC and DNS security are related concepts within the realm of internet security, each with a distinct focus and scope. DNSSEC specifically refers to a set of DNS extensions designed to fortify the security of the Domain Name System. Its primary objective is to ensure the integrity and authenticity of DNS records through private and public key cryptography.

DNS security is a broader term that encompasses a comprehensive approach to securing the entire DNS environment. While DNSSEC is a crucial component of DNS security, the scope of DNS security extends beyond the specific protocols of DNSSEC. DNS security addresses a wide range of threats including distributed denial of service or (DDoS) attacks and domain theft, providing a holistic strategy to protect against malicious activities that might compromise the DNS infrastructure.

Related solutions
IBM NS1 Connect Managed DNS

IBM NS1 Connect Managed DNS service delivers resilient, fast, authoritative DNS connections to prevent network outages and keep your business online, all the time.

Explore IBM NS1 Connect Managed DNS Request a live demo

IBM Cloud DNS services

IBM Cloud® DNS services offer public and private authoritative DNS services with fast response time, unparalleled redundancy and advanced security—managed through the IBM Cloud web interface or by API.

Explore IBM Cloud DNS services
IBM DNS network resilience and uptime

Improve application resilience and uptime with a global network and advanced DNS traffic steering capabilities.

Explore IBM DNS network resilience and uptime

Resources What is the Domain Name System (DNS)?

The DNS makes it possible for users to connect to websites using URLs rather than numerical Internet protocol addresses.

What is a DNS server?

DNS servers translate the website domain names users search in web browsers into corresponding numerical IP addresses. This process is known as DNS resolution.

What are DNS records?

A Domain Name System (DNS) record is a set of instructions used to connect domain names with internet protocol (IP) addresses within DNS servers.

What is networking?

Learn about how computer networks work, the architecture used to design networks and how to keep them secure.

What is network security?

Network security is the field of cybersecurity focused on protecting computer networks and systems from internal and external cyberthreats and cyberattacks.

What is database security?

Database security refers to the range of tools, controls and measures designed to establish and preserve database confidentiality, integrity and availability.

Take the next step

IBM NS1 Connect provides fast, secure connections to users anywhere in the world with premium DNS and advanced, customizable traffic steering. NS1 Connect’s always-on, API-first architecture enables your IT teams to more efficiently monitor networks, deploy changes and conduct routine maintenance.

Explore NS1 Connect Book a live demo