About DNSSEC DNSSEC has been designed to protect Internet resolvers (users) from forged DNS data. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect other information such as general-purpose cryptographic certificates, including those for email, making it possible to use DNSSEC as a worldwide public key infrastructure for email.

DNSSEC does not protect the security of data in that all DNSSEC responses are authenticated but not encrypted. DNSSEC does not protect against Denial of Service attacks directly, though it indirectly provides some benefit; However, the demands DNSSEC places on Internet infrastructure could make DNSSEC a tool for DoS attacks.

DNSSEC cannot protect against false assumptions; it can only authenticate that the data is truly from or not available from the domain owner. A false validation will prevent data from being passed to a remote server, thus protecting the sender's data from being seen by unintended recipients.

How it works

DNSSEC works by digitally signing answers to DNS lookups using public-key cryptography. To do this, several new DNS record types were created, including the RRSIG, DNSKEY, DS, and NSEC records. These are all supported by the Security-DNS zone signing service. When DNSSEC is used, each answer to a DNS lookup will contain an RRSIG DNS record, in addition to the record types requested. The RRSIG record is a digital signature of the answer DNS resource record set. The digital signature can be verified by locating the correct public key found in a DNSKEY record.

From the results, a security-aware DNS resolver can then determine if the answer it received was correct (the term given is "secure"), whether the authoritative name server for the domain being queried doesn't support DNSSEC (false or "insecure"), or if there is some sort of error. The correct DNSKEY record is found via an Authentication Chain, starting with a known good public key for a Trust Anchor. This public key can then be used to verify a Delegation Signer (DS) record. A DS record in a parent domain (DNS zone) can then be used to verify a DNSKEY record in a subdomain, which can then contain other DS records to verify further subdomains.


Is a free service provided by CommunityDNS (http://www.CDNS.net) to promote the use of DNSSEC on the Internet by those entities that could benefit from DNS validation.

Technically DNSSEC is quite demanding and the Security-DNS Zone Signing tool is designed to make the creation and acceptance of DNSSEC zones much easier.

The look-up search bar on the www.Security-DNS.net homepage provides the public with a methodology of visually checking the existence of DNSSEC zone data.