© 2002 - 2024 Pipe Ten Hosting Ltd Made by Pipe Ten Hosting Ltd

Is DNSSEC useful or more trouble than it’s worth?

DNSSEC first appeared in 1997 as a critical enhancement to the DNS protocol with the goal to secure the DNS system. Despite it’s potential to protect against various threats, DNSSEC has struggled to gain significant traction over the years with around just 3% of .com domains having it enabled.

Is DNSSEC useful?

In this post we’ll explore the pros and cons of DNSSEC, weighing its benefits of enhancing internet security against the challenges of it’s implementation. Is DNSSEC really useful, or is it more trouble than it’s worth?

The Problem with Standard DNS

The Domain Name System (DNS) functions much like the internet’s phone book, translating human-readable names into IP addresses that your computer uses to find the website on the internet. Unfortunately the original DNS protocol was designed without much thought for security, making it vulnerable to multiple attacks. One of the most significant types of attacks is called DNS spoofing or DNS cache poisoning.

What is DNS Spoofing?

DNS spoofing is a malicious technique used to divert traffic away from legitimate servers to another target. The consequences of this can be severe, resulting in unsuspecting websites being used for phishing attacks, man-in-the-middle-attacks or just for general service disruption.

Keep updated with the latest from purely.website

Privacy Notice

How DNSSEC helps

DNSSEC is designed to address these issues by adding a layer of security to DNS. Here’s how it helps:
  • Digital Signatures: DNSSEC uses cryptographic signatures to ensure that DNS responses are coming from an authoritative source and have not been modified in transit. Each DNS record is signed with a private key and the corresponding public key used to verify the signature.
  • Chain of Trust: DNSSEC establishes a chain of trust from the root DNS servers all the way down to the individual domain name. This means that each level in the DNS hierarchy vouches for the next, making it difficult for malicious users to insert false information.
  • Data Integrity: By validating the digital signatures the DNS resolvers can be sure the DNS information has not been modified. If the data doesn’t have a valid signature it is discarded.

The Problems with DNSSEC

DNSSEC can be complex and there are things to consider before choosing to enable DNSSEC on your domain and whether the benefits outweigh the potential issues that can come with it.
  • Complexity: DNSSEC can be complex to setup and manage compared to a typical DNS setup, requiring keys to be generated and added to the domain name registry. If these are not setup correctly or are ever changed the domain will fail to resolve, taking the website offline.
  • Performance Overhead: DNSSEC also adds additional data to DNS responses due to the signatures and keys. Along with the extra steps to verify the signatures by DNS resolvers this can add latency and slow down DNS resolution times.
  • Legacy Systems: Not all DNS resolvers and clients support DNSSEC so there may be issues with older or non-compliant systems.
  • Delays: Transferring a domain name with DNSSEC enabled can be complex and runs the risk of your website failing to resolve. We actually recommend DNSSEC is disabled before transferring to minimise the chance of any downtime during the process.
  • Reliant on a Chain: Even if you do have DNSSEC setup correctly you are reliant on the domain registry doing their part too. Sometimes this doesn’t go to plan, as users of the .nz domain found out during a multi-day outage in 2023.

Is it worth it?

DNSSEC does remain a valuable tool for enhancing the security of the DNS infrastructure. However, it’s worth weighing the benefits against the potential challenges and costs. In our opinion unless you’re a large corporation enabling DNSSEC is more likely to cause problems and downtime than save you from an attack.
DanielAuthor: Daniel Knights Daniel is the purely.website Product Manager, with a career spanning over two decades, at the forefront of the web hosting industry and has represented a variety of leading web hosting companies. Daniel has the core responsibility of delivering the most superior customer experience for purely.website members. His knowledge of industry standards comes through his extensive experience that includes advising companies on infrastructure strategy and architecting and delivering advanced hosting and domain name management services that are easy to use though innovative tools and UX initiatives.
WANT TO KNOW MORE? TALK TO US!
Chat Online OR Call 0114 303 0040
Nominet Accredited Channel Partner Mastercard VISA Maestro American Express VISA Electron PayPal
Twitter Twitter Facebook Linked In