DNSSEC

How does DNSSEC work?

DNSSEC works by adding digital signatures to DNS records, allowing resolvers to verify that the data they receive is authentic and has not been tampered with. These signatures are created using public key cryptography, and their validity can be checked against a chain of trust anchored at the DNS root zone.

When a DNS resolver performs a lookup, DNSSEC enables it to check whether the response matches what is stored on the authoritative name server. This verification process ensures that users are directed to the correct servers, reducing the risk of redirection to malicious destinations.

Here’s how it works in practice:

1. Signing DNS records: When a domain is DNSSEC-enabled, its authoritative DNS server generates cryptographic signatures for its DNS records using a private key. These signatures are stored in special DNSSEC record types, including as RRSIG (Resource Record Signature), DNSKEY (DNS Public Key), DS (Delegation Signer), and NSEC (Next Secure).
2. Publishing public keys: The corresponding public key is published in the DNS using a DNSKEY record. This allows resolvers to verify the RRSIG signatures.
3. Establishing a chain of trust: To ensure the public key itself is trustworthy, DNSSEC uses a hierarchical model. The public key for a domain is signed by its parent zone using a DS (Delegation Signer) record, and this continues up to the DNS root zone, which is trusted by default. This creates a verifiable chain of trust from the root to the domain.
4. Validating responses: When a DNS resolver receives a response, it checks the RRSIG signature using the DNSKEY record. If the signature is valid and the chain of trust is intact, the data is accepted. If not, the response is rejected or flagged as insecure.
5. Handling non-existent domains: DNSSEC also secures negative responses (for example, when a domain doesn’t exist) using NSEC or NSEC3 records. These prove that no matching record exists, preventing attackers from spoofing non-existent domains.

For example, if a resolver queries example.com, it will receive the IP address along with an RRSIG. It will then use the DNSKEY record to verify the signature, and check that the DNSKEY itself is signed by the parent zone (for example,.com) via a DS record, continuing up to the root.

DNSSEC requires:

• Proper key management, including regular key rollover.
• Accurate configuration of zone signing and delegation.
• Support from both authoritative servers and validating resolvers.
• Deployment across all zones in the DNS hierarchy to complete the chain of trust.

When implemented correctly, DNSSEC provides strong protection against DNS spoofing and cache poisoning, making it a critical tool for securing the Internet’s naming infrastructure.

What is DNSSEC used for?

DNSSEC is used to improve the security and reliability of the Domain Name System (DNS), which is a core part of how the Internet functions. By enabling DNSSEC, network operators and service providers can protect users from certain types of attacks and support other security technologies that rely on trustworthy DNS data.

• Preventing DNS spoofing and cache poisoning: One of the primary uses of DNSSEC is to prevent attackers from forging DNS responses. Without DNSSEC, malicious actors can redirect users to fraudulent websites by injecting false data into DNS caches. DNSSEC uses cryptographic signatures to ensure that DNS responses are authentic and have not been altered in transit.
• Supporting secure services and protocols: DNSSEC enables protocols like DANE (DNS-based Authentication of Named Entities), which allow cryptographic information about services (such as email servers or websites) to be published in the DNS. This helps verify the identity of services and prevent man-in-the-middle (MITM) attacks, especially in environments where traditional certificate authorities may not be trusted.
• Publishing public keys securely: DNSSEC allows public keys to be published in the DNS in a verifiable way. This can be used to bootstrap trust for services like SSH, TLS, and S/MIME. By verifying these keys through DNSSEC, users can ensure they are connecting to the correct service.
• Protecting critical infrastructure: Governments, registries, and operators of critical infrastructure use DNSSEC to ensure the integrity of DNS data for essential services. This helps maintain trust in public-facing systems such as health, finance, and government platforms.
• Complementing other privacy and security technologies: While DNSSEC does not encrypt DNS traffic, it ensures that users are not silently redirected to malicious destinations. This makes it a useful complement to privacy-focused technologies like DNS over HTTPS (DoH) and DNS over TLS (DoT), which encrypt DNS queries and responses.

How to take advantage of DNSSEC?

Taking advantage of DNSSEC involves enabling and supporting DNSSEC validation or signing within your network or domain infrastructure. The steps and benefits vary depending on whether you operate a DNS resolver, manage authoritative DNS zones, or run services that rely on DNS integrity.

Getting started

To get started with DNSSEC:

• Check if your DNS software or provider supports DNSSEC.
• Review documentation from trusted sources.
• Consider starting with validation before moving to signing.

DNSSEC adoption strengthens the overall security of the Internet’s naming system and helps protect users from DNS-based attacks.

Running a validating resolver

If you operate a DNS resolver (for example, for an ISP, enterprise, or campus network), you can enable DNSSEC validation to protect users from forged DNS responses. This involves configuring your resolver software (such as BIND, Unbound, or Knot Resolver) to check DNSSEC signatures and reject invalid data. Most modern resolver software supports DNSSEC.

Signing your domain

If you manage a domain name, you can enable DNSSEC by signing your zone and publishing the necessary DNSSEC records. This includes:

• Generating cryptographic key pairs: Zone Signing Key (ZSK) and and Key Signing Key (KSK).
• Signing your DNS records with the signing keys.
• Publishing DNSKEY and DS records.
• Ensuring your parent zone (your registrar or registry) accepts and publishes your DS record.

Many registrars and DNS hosting providers offer DNSSEC support, making it easier to enable signing without managing keys manually.

Supporting DNSSEC-aware applications

Some applications and protocols rely on DNSSEC to verify identities or bootstrap trust. By enabling DNSSEC in your infrastructure, you support these use cases and improve the security of services like email (via DANE), SSH, and TLS.

Monitoring and maintaining DNSSEC

DNSSEC requires ongoing maintenance to ensure reliability and security. This includes:

• Regular key rollover.
• Monitoring for validation failures.
• Keeping software and configurations up to date.
• Regularly testing DNSSEC implementations.

Updating domain objects in MyAPNIC

APNIC Members can update domain objects by adding a ds-rdata attribute via the MyAPNIC portal. To update multiple domain objects, you can use the bulk update form and attach a plaintext zone file containing your Name Server and/or DS resource records.

Example (zone file format):

113.0.203.in-addr.arpa. 86400 IN NS ns1.example.com.
113.0.203.in-addr.arpa. 86400 IN NS ns2.example.com.
113.0.203.in-addr.arpa. 86400 IN DS 33736 13 2
	B1E76175EC4F7AEF17EC5DBD3BA24EA19728C96FAC
	8713C008030EBB FD7A28FC

Example (WHOIS domain object format):

domain:        113.0.203.in-addr.arpa
descr:         Example reverse DNS delegation
admin-c:       EX123-AP
tech-c:        EX123-AP
zone-c:        EX123-AP
nserver:       ns1.example.com
nserver:       ns2.example.com
ds-rdata:      33736 13 2 B1E76175EC4F7AEF17EC5DBD3BA24EA19728C96FAC8713C008030EBBFD7A28FC
mnt-by:        MAINT-EXAMPLE-AP
changed:       hostmaster@example.com 20251021
source:        APNIC

APNIC and DNSSEC

APNIC supports DNSSEC across its infrastructure and services to help secure the Internet’s naming system. This includes signing its own zones, supporting Member DNSSEC data, contributing to global DNSSEC measurement and awareness and supporting the DNS Root Zone KSK Rollover.

• Signed zones and Member data: APNIC has signed its own zones, (including apnic.net and reverse DNS zones under in-addr.arpa and ip6.arpa). Members can activate DNSSEC protection for their reverse zones by updating the ds-rdata attribute in their domain objects in the APNIC Whois Database. The value of ds-rdata from the whois domain object is used for the DS resource record in the APNIC reverse DNS zone file. A successful update results in the parent zone data being updated in APNIC’s name servers.
• DNS Root Zone KSK Rollover: APNIC played a role in the DNS Root Zone KSK Rollover, ICANN’s change of the top-level cryptographic keys used in DNSSEC on 11 October 2018. This event marked a significant milestone in DNSSEC operations and is relevant for understanding the evolution of global DNSSEC practices.
• Measurement and research: APNIC Labs conducts ongoing measurement of DNSSEC adoption globally. This research helps track progress, identify gaps, and inform the technical community about trends in DNSSEC deployment. APNIC shares these insights through blog posts, presentations, and data tools to support broader understanding and uptake of DNSSEC.
• APNIC DNSSEC Policy and Practice Statement (DPS): This DPS describes how APNIC operates and maintains the DNSSEC operation of the reverse zones.