Help Center

Version 2.0

• Managing Domain Names
• Working with DNSSEC

Related Articles

• What is a DS record?
• What is the DNSSEC chain of trust?
• Since DNSSEC makes the Internet more secure, why doesn't everyone use it?
• What types of websites should enable DNSSEC for their domain name?
• How do I enable DNSSEC and sign my zone?
• How does DNSSEC work?
• What is a key rollover and how often should it occur?

How does DNSSEC protect Internet users?

DNSSEC (Domain Name System Security Extensions) is designed to protect Internet users from forged DNS data, such as a misleading or malicious address instead of the legitimate address that was requested. Here's the difference between DNSSEC-aware and non-aware lookups.

Non-DNSSEC-Aware Lookups

With these DNS lookups, your URL request goes to the Internet and accepts the first response it receives. If a malicious Internet player intercepts the request and sends back an incorrect response, the response you receive takes you to an unintended Internet site where your personal information can be compromised.

Now imagine if that malicious address information is stored by Internet resolvers, ISPs for example, and then used by thousands of individual requests. Without DNSSEC, it's possible for an Internet resolver like an ISP to receive this malicious information and store it in their cache. Anyone using the ISP's cache gets the malicious address information until the cache is refreshed.

DNSSEC-Aware Lookups

These DNS lookups go first to the domain name's registry and get a copy of the digital signature being used by the URL. The address response must also include a matching digital signature. If it doesn't, your browser can't display the site. This way, you can't be redirected to a bogus location that you didn't request.

• Not helpful
• Somewhat helpful
• Helpful
• Very Helpful
• Solved my problem