The purpose of DNSSN

• Prevent Spoofing

Spoofing, or DNS cache poisoning, is a type of attack that is focused on corrupting the cached answers on DNS servers with recursion enabled, either through software exploits or protocol weakness. Software exploits can be patched with software updates, but protocol weakness can only be updated with protocol fixes or extensions. DNSSEC is the “fix” for the traditional DNS protocol.

• DNSSEC Compatibility

1. Secure. the answer passed every validation, this means DNSSEC was fully deployed for this domain and every step was configured correctly.
2. Insecure. the zone has yet to deploy DNSSEC, and the validating resolver fell back to using the traditional “insecure” way of resolving this domain name.
3. Bogus. the zone has deployed DNSSEC, but one of the checks has failed, indicating there might be a spoofing attempt.

• Fully Validated DNS

DNSSEC aims to provide a globally distributed database that can be fully validated. It accomplishes this by using public key cryptography to authenticate each message, ensuring it originated from the right source, and the content remains unaltered. All of the cryptographic information is stored in DNS itself, published as additional DNS records. A DNSSEC-enabled resolver (knowns as validating resolver) can chase up the DNS hierarchy, from example.com to .com to root, validating every layer.

DNSSEC provides two security features to DNS

1. Data origin authentication: Allows a resolver to cryptographically verify data came from the zone requested.

2. Data integrity protection: Allows a resolver to know that the data hasn't been modified in transit and was originally signed by the zone owner's private key.

Two different uses for DNSKEY records

1. Key signing keys (KSK): Used to sign other DNSKEY records.

2. Zone signing keys (ZSK): Used to sign other records. 

The main protection DNSSEC

• DNS Cache Poisoning

A form of man-in-the-middle attack where attackers flood a DNS resolver with false DNS information. Sometimes these attacks can get a match by the law of large numbers and plant a false result into the cache of the DNS resolver. The DNS resolver then provides this erroneous or malicious web address to anyone seeking that website until the time-to-live (TTL) expires.

• False zones

 DNSSEC also protects against malicious DNS attacks that exploit the DNS system and provide phony results for zones that don't even exist, essentially exploiting gaps between zones. DNSSEC secures the entire zone and provides mechanisms to prevent gap exploitation in unsigned zones. This is also known as the authenticated denial of existence.  

Why Doesn't Everyone Use DNSSEC?

• Backwards compatibility

 The need to design a backward compatible standard that can scale to the size of the Internet is extremely difficult

• Zone enumeration prevention

​​​​​​​An important part of DNSSEC is the ability to authoritatively assert that a given name does not exist. 

• Deployment difficulties

​​​​​​​Deploying DNSSEC across a wide variety of DNS servers and resolvers takes time.

• Ownership disagreements

​​​​​​​There have been disagreements of over who should own the top-level domain root keys.

• Perceived complexity

 It has been hard to overcome the perceived complexity of DNSSEC and DNSSEC deployment.

References

1. DNSSEC - What Is It and Why Is It Important? (2021). Retrieved from https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en.
2. What is the purpose of DNSSEC? (2021). Retrieved from https://www.infoblox.com/dns-security-resource-center/dns-security-faq/what-is-the-purpose-of-dnssec/.
3. DNSSEC : What Is It and Why Is It Important? (2021). Retrieved from https://www.upguard.com/blog/dnssec.