DNSSEC (Domain Name System Security Extensions) certifies the response obtained from a DNS server supporting DNSSEC technology.
The Domain Name System (DNS) was originally based on root DNS servers managed by a dozen different organizations in different countries.
Now, DNS is based on a hierarchical system consisting of multiple DNS servers where each server manages one or more zones.
When you try to access our site "www.informatiweb-pro.net", the DNS client installed on your computer will make several requests to different DNS servers :
Since the final answer depends on responses from the parent DNS servers, it's important to secure the DNS system on all DNS servers in the world.
It's for this reason that DNSSEC was invented. But its implementation will obviously take time since there are hundreds or even thousands of DNS servers in the world.
DNSSEC (Domain Name System Security Extensions) is a series of extensions to secure the DNS system by allowing :
If the authoritative DNS server supports DNSSEC, its zones can be signed using this technology.
For this, when signing the zone, DNSSEC will add multiple DNS records (digital signatures) to provide an authentic response to different DNS clients.
As you can see on this schema (retrieved from Microsoft Docs), each DNS record (including global information, such as : the Name Server (NS) list and SOA) will be digitally signed.
As you can see, signing the zone via DNSSEC has resulted in the creation of several types of records :
All these DNS records are created automatically when the zone is signed, except for "DS" records.
In addition, the type of NSEC (or NSEC3) record depends on the choice you make when signing the zone. NSEC or NSEC3 records are automatically added.
Indeed, you will not be able to combine both in the same zone.
Warning : note that the DS record (used to secure DNS delegations) is not automatically created when the zone is signed and must be created manually.
DNSKEY and DS records are called trust points or trust anchors.
These trust points must be distributed to non-authoritative DNS servers in your DNS zone so that they can validate the signatures received with your DNS response.
As previously explained, deploying DNSSEC will help protect DNS clients (users) from fake DNS responses sent by hackers.
But, for this to be possible, everyone needs to implement DNSSEC on its DNS servers :
Thus, if everyone checks that the response obtained from the parent server is authentic, the user can be sure that the answer obtained will be authentic and that it has not been manipulated by a hacker.
That being said, customers also need to be compatible with this technology so they can use it instead of the traditional DNS system.
With Windows Server, it's also possible to configure Windows clients (compatible with DNSSEC) to make its use mandatory through the Name Resolution (NRPT / Name Resolution Policy Table) group policy (GPO).
Warning : if you want to make the use of DNSSEC mandatory, be aware that DNSSEC must be supported by each DNS server needed to obtain the final response.
Yes and no. It all depends on your infrastructure and the zones you will manage on your DNS server.
In addition, signing a DNS zone creates additional DNS records, as well as encrypting and decrypting DNS messages.
This can make managing the DNS server more complicated and can impact the performance of your DNS server if it receives a lot of requests simultaneously.
Then, we must also take into account that it will be necessary to renew periodically the security keys used to sign the zone to prevent a hacker from guessing them.
Yes, because your DNS server may be targeted by hackers and your DNS zone will be accessed by many clients over the Internet.
So it's important to sign it to be able to provide authentic answers to your clients and protect them from false DNS answers sent by hackers.
In addition, these zones are generally not part of an Active Directory infrastructure. It's therefore useful and recommended to sign your DNS zones.
Generally, local DNS zones are much less vulnerable to attacks, because they are not accessible from outside (the Internet) or because security protocols have been put in place in your network to protect you from them.
If you sign these DNS zones and these zones are also part of an Active Directory infrastructure, DNS server maintenance may be more complicated. Indeed, the number of DNS records can grow visibly depending on the number of computers in your network and linked to your Active Directory.
It's therefore advisable to sign them only if you consider that this is necessary or because :
Enabling DNSSEC on your DNS server impacts the performance of your DNS server :
For more information, see the Microsoft Docs DNSSEC Performance Considerations page.
Windows Server 1/15/2013
Windows Server 4/15/2018
Windows Server 4/25/2018
Windows Server 5/11/2018
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment