The Domain Name System (DNS) translates the easy-to-remember domain names into numerical IP addresses.
Since the DNS exists for more than three decades (1983), it has gradually become a subject to domain hijacking practices.
The DNSSEC technology was developed to take care of this and minimize the cases of domain hijacking.
We proudly welcome this new global technology on our web hosting platform as well.
What is a DNS lookup?
The DNSSEC (Domain Name System Security Extensions) is responsible for discovering the glitches in security if any, during a DNS lookup process.
Before giving you any further details about DNSSEC, we will first explain how exactly the DNS lookup process works:
1. Every time you enter the address of a given website site (for instance, WWW.DOM.COM) in your web browser, a request regarding additional details on .COM is sent to the root zone.
2. Then, another request for details on DOM.COM is sent to the .COM zone.
3. Finally, the DOM.COM zone is queried for WWW.DOM.COM’s IP address. Your browser will then receive a response, which will contain that address.
Take a look at our detailed visual scheme of the aforementioned DNS lookup steps:
A different entity controls each of the zones you can see in the picture. ICANN controls the root zone, .COM (or any other TLD) is managed by a domain registry and .DOM.COM is administered by a domain registrar.
How can the DNSSEC fix the DNS vulnerability?
DNSSEC validates the DNS responses during DNS lookup. It does this by adding digital signatures through each stage of the query process.
As a result, an additional layer of security is added, so that the user of a website can rest assured that he/she is always accessing the genuine website or the legitimate service every time the web address is typed into a browser’s address bar.
Here’s an illustration of how the DNSSEC security protocol works:
As you can see from the diagram above, the DNSSEC helps the HTTPS security protocol. The HTTPS itself is the protocol which is responsible for the data encryption and it’s used during each browser-server ‘dialogue’.
The DNSSEC adds multiple digital signatures during each and every step of the DNS lookup. There are special keys which produce these signatures. The keys have to be validated by a higher-level entity. For example, .COM has to sign the key for DOM.COM and the key for .COM has to be signed by the root.
The term ‘chain of trust’ is used for the signing of every key. It means that a parent zone has to sign the key of the corresponding child zone below it.
Name servers are responsible for storing the aforementioned digital signatures as well as their corresponding keys. They also store A, AAAA, MX, CNAME and other widely used record types.
The digital signature of the DNS record must be checked, so that it immediately becomes clear whether it’s authentic or altered during a man-in-the-middle attack.
Are there any DNSSEC-compatible gTLDs on Exclusive Hosting’s platform?
Exclusive Hosting is both an ICANN-accredited domain registrar and a reliable web hosting provider. That’s why we can offer you DNSSEC support for the DOM.COM and the WWW.DOM.COM zones in the DNS lookup chain.
Full DNSSEC support is currently available for the majority of TLDs on our platform.
Therefore, we are authorized to publish the DS records for each domain that you’d like to register with one of these generic extensions.
What’s more, you can enable DNSSEC for your domains with one single the Web Hosting Control Panel click.
If you’re with us for some time, you’ll notice that there’s a new DNSSEC column in the Hosted Domains section.
In order to activate DNSSEC for a given domain, left-click on the corresponding DNSSEC icon.
A dialogue box where you’ll be required to select your signature algorithm will show up on your screen:
We recommend that registrants use RSA/SHA-256 or RSA/SHA-1.
NOTE: If a given domain name is not registered through us, we will give the respective DS records to the given client. This way they can add them to their domain management account with the other registrar.
Click once again on the DNSSEC icon to get the DS records for your DNSSEC-enabled domain.
All the required DS details will be featured in the dialogue box:
All you have to do is copy the information you see there and paste it in the domain management panel that’s provided by the current registrar of the domain.
DNSSEC can be paramount for the reputation of your website and/or the services you offer.
If you don’t use if, your visitors might get routed to somebody else’s server and tricked into submitting their details to phishing sites. When they eventually find out, they will never return to your actual site.
No matter how good your content is or how reliable and easy-on-the-budget the services or products you offer are, you’ll get fewer and fewer visitors.
Soon we will add new DNSSEC-compatible TLDs to our platform. Check out our blog regularly to learn more.