What is DNSSEC?
Although DNS is the backbone of the internet, DNS vulnerabilities have become prevalent. One of the most common problems Internet users face is being exposed to potential DNS spoofing attacks that allow hackers to redirect traffic to their own servers instead of displaying a website’s original content.
DNSSEC was designed to address those risks and provide cryptographic verification through digital signatures that can be used to validate that records delivered in a DNS response came from the authoritative DNS server serving the queried domain name and haven’t been altered en route.
Why Do You Need It?
In addition to protecting your domain from attacks, DNSSEC is being increasingly used to prove that a domain is secure during outside verification. Many web2 domains, including .bank, are requiring DNSSEC to be enabled to establish that their TLD namespace is secure.
web3 domains are also using DNSSEC to verify a secure registration process. For example, the .ETH Registry (ENS) requires that DNSSEC be enabled for an eth domain in order for their smart contracts to be provisioned. Order an .ETH domain from EnCirca here: https://www.encirca.com/eth/
To add DNSSEC keys:
- Login to EnCirca (https://manage30.encirca.com/)
- If needed, search for your domain.
- Click on the domain you want to change DS Keys
- Click on the DNSSEC tab
- In the empty fields, add the info and click [Add DNSSEC Record]
- Once the needed records are added, save your changes.
- You may have to wait up to 60 minutes for changes to take effect
Each DS record consists of four fields: KeyTag, Algorithm, DigestType and Digest.
These values are received from the DNS/hosting provider that hosts your domain. If you are not sure where to get the records, please contact your hosting/DNS provider.
A DS record has the following format:
Where:
- Example.com. - domain name that the DS is for
- 3600 - TTL, the time that the record may remain in cache
- IN stands for internet
- 2371 - Key Tag, the key’s ID
- 13 - algorithm type. Each allowed algorithm in DNSSEC has a specified number. Algorithm 13 is ECDSA with a P-256 curve using SHA-256.
- 2 - Digest Type, or the hash function that was used to generate the digest from the public key
- The long string at the end is the Digest, or the hash of the public key
To remove DNSSEC keys:
- Login to EnCirca (https://manage30.encirca.com/)
- Click on the domain you want to change remove DS Keys
- Click on the DNSSEC tab
- To the right of the key you want to remove, click the [Remove] button