DNSSEC, or DNS Security Extensions, are new features being made available to the domain name system (DNS) – the part of the internet which translates familiar web addresses such as www.jasonslater.co.uk into numbers that computers and network routing equipment can understand. Using the domain name system mechanism, instead of numbers in the form “nnn.nnn.nnn.nnn” makes the internet a simpler and more accessible place which is one of the reasons it has become so popular.

When you launch your web browser and type in a particular web address your computer sends a query to a local DNS server which then asks other DNS servers and returns what it believes to be the matching internet address in number format. We say “what it believes” as there are many internet addresses in use which require a vast number of domain name servers – from top level servers (which manage the last part of the web address such as .com and .org) to domain level servers and local DNS servers that private businesses may use. All of these DNS servers need to work together to keep on top of the regularly changing pattern of domain names to numbered addresses and by introducing a distributed mechanism the management of these systems becomes a little simpler but synchronisation becomes much more complicated – and this is where problems may creep in.

It is possible to intercept some DNS requests and modify them, and also for some computers to simply pretend to be valid DNS servers when they are really giving out false information. This means you could type a domain name into your web browser but you may end up on a completely different website.

The purpose of DNSSEC is to make this particular part of the internet, the request and transmission of addresses to numbers, a little more secure by adding new fields to messages involved in DNS communications – and these messages will be digitally signed for an added level of security. Fortunately, a hardware appliance is available to handle the automatic signing of DNS messages which should make integrating the system into an existing infrastructure somewhat easier.

The core of the work involved in turning DNSSEC into a reality is contained within three primary RFC (Request For Comments) documents, these are RFC 4033, RFC 4034, and RFC 4035. If you have been keeping up with my adventures in reading the entire set of RFC documents (more than five thousands) you’ll know that I am currently up to RFC 1000 – so there is a little way to go before we hit DNSSEC! That said the DNS protocol itself is initially defined in RFC 1035 – which itself goes back as far as RFC 882 (Domain Names – Concepts and Facilities).

For more information visit the DNSSEC Securing the Domain Name System website.