DNSSEC is an addition to the widely used DNS protocol, which computers all over the world use to resolve host names into IP addresses, in order to easily locate other computers across local networks and the internet. DNSSEC is an extra layer of security that prevents DNS cache poisoning, and man-in-the-middle attacks.
Such attacks provide an easy way for malicious internet users to redirect victims from their intended website, to one of their choosing, and as the redirection is done at the IP address level, there is no way to tell from the browser that your session has been redirected. (Aside from SSL connections, which require a signed certificate).
DNSSEC works by signing the DNS records on the authoritative nameserver, and publishing the public part of the signing key in a special record in the zone. This can then be queried by clients and used to verify that the response they received actually came from a nameserver with authority to respond for that zone.
A number of DNS servers on the internet have already implemented DNSSEC, but as of May 5th, all 13 root servers will have zone signing enabled. Root DNS servers exist at the top of the hierarchy, and are used to resolve top-level domains such as .com and .net. This is an important step forwards as this ensures that the trust of the nameserver responding to your request can be verified right up to the root of the DNS system, allowing users to be confident that the response they received is not malicious.
A number of websites have reported today that due to changes made to support DNSSEC, older clients will be unable to process the extended responses, thus effectively rendering DNS unusable, and "Breaking the Internet". This is due to the size of the response required to contain the additional information required, which may be sent in TCP packets, rather than UDP packets as the original protocol prefers. This is in fact, not the case, old clients will have no issues once the upgrade is complete.
The DNSSEC protocol is an addition to the existing DNS protocol, and not a replacement. In order for clients to receive the signed responses, along with the information required to verify the reply, clients must explicitly set a "DO" flag in the query they send to the resolver. If this flag is not set, the resolver will return a response in the standard, pre-DNSSEC format.
Old clients, which are unable to handle the DNSSEC extensions will not set this flag in outgoing requests, and thus will have no issues reading the reply they receive. Equally, if a client that does support DNSSEC queries a server which does not, the response will be returned in the standard format, and no record will be found at the parent nameserver indicating that a signed response should have been received.
26 Comments - Add comment