DNSSEC FAQs

Below you will find frequently asked questions about our DNSSEC service.

What is the domain name system (DNS)?

The domain name system is the system that supports global communication networks by matching requests from Internet users to Internet Protocol address and services. For a brief video on how the DNS works, click here

When you attempt to navigate to a website or send an email, your computer uses the DNS to point to the domain name associated with the website you want to access and maps it to an Internet protocol (IP) address. In other words, your computer ‘queries’ the DNS for the website’s location, and the DNS server answers the query by resolving the domain name to the IP address.

What are the threats to the DNS?

There are vulnerabilities in DNS that are being actively exploited by attackers. These attacks are often undetectable to users. The attacks, which DNSSEC addresses, can be categorized into the following:

  • DNS spoofing (also known as malicious cache poisoning): 
    Recursive name servers temporarily store,  or cache, information learned during the name resolution process. Cache poisoning occurs when fraudulent DNS data is inserted into the cache of a recursive name server. Without DNSSEC, the server has no way to ensure the validity and accuracy of this information. When malicious information is cached on the recursive name server, the server is considered ‘poisoned’. Cache poisoning allows an attacker to redirect Internet traffic to fraudulent sites.
  • Malicious resolvers: 
    Malicious resolvers pose a threat because the information they host cannot be trusted nor validated. The consequence is that an attacker can redirect you to a malicious website or server.
  • Man-in-the-middle (MITM) attacks: 
    A man-in-the-middle (MITM) attack secretly intercepts and modifies communications between two systems. The attacker can potentially modify the communication to redirect traffic to an illegitimate address or website. End users do not detect the MITM attacks and assume that they are communicating directly with their intended destination.
What is Domain Name Security Extensions (DNSSEC)?

Domain Name Security Extensions (DNSSEC) is a critical upgrade to the security of the Internet by protecting users against attacks such as those listed above. DNSSEC provides authentication and integrity to the DNS to end malicious attacks by achieving the following:

  • Origin authentication and data integrity:
    DNSSEC-capable resolvers digitally verify that the DNS data they receive is identical to the information on the authoritative DNSSEC-capable name server. This is done by authenticating the origin and integrity of DNS data as it transits the Internet.
  • Authenticated denial of existence:
    DNSSEC-capable resolvers are able to determine whether or not a resource, such as a name server, actually exists, adding a layer of security.

All answers to queries in DNSSEC are digitally signed. By checking the digital signature, you can verify if the information is identical to the information on the authoritative DNS server, ensuring that what you queried is what resolves. 

Owners of websites and email servers that have implemented DNSSEC will have a higher degree of certainty that visitors to their website and emails destined for their mail servers will not be redirected elsewhere.

What does DNSSEC not address?

DNSSEC does not provide confidentiality of data that is transmitted.

What has CIRA done so far on DNSSEC?

In 2014 CIRA implemented DNSSEC capability in the Registry and worldwide their has been a significant push for the implementation of the DNSSEC.  Registrars, DNS hosting providers and ISP's are starting to sign and validate domains. CIRA will continue to work with the Canadian Internet Community towards the goal of full implementation of this chain of trust required to improve the safety and reliability of the Internet's Infrastructure.

 

The importance of DNSSEC can be visualized with an

 

illustrated example of how the domain name system (DNS) can be compromised. Take the example of cache poisoning where a DNS record has been overwritten to point to the IP of a rogue website.

The diagram below illustrates what happens during this attack:

 

false

 

Figure 1: DNS spoofing attack

  1. The attacker targets and compromises the DNS server used by clients. The clients will consist of desktops, laptops and/or mobile devices. In this instance the attacker modifies the entry for www.example.ca – changing the recorded IP address from 1.1.1.1 to the attacker’s fake site IP address (2.2.2.2).
  2. The client queries the DNS server – “What is the IP address of www.example.ca?”
  3. The DNS responds to the client query with “The IP address of www.example.ca is 2.2.2.2” – not the real IP address.
  4. The client then connects to the host at 2.2.2.2 – expecting it to be www.example.ca, but is covertly redirected to the attacker’s fake site.


The diagram below indicates how DNSSEC protects the user:

false

 

 

  1. Again, the attacker targets and compromises the DNS server used by clients. The clients will consist of desktops, laptops and/or mobile devices. In this instance the attacker modifies the entry for www.example.ca – changing the recorded IP address from 1.1.1.1 to the attacker’s fake site IP address (2.2.2.2). The cryptographic information for the address has also been overwritten.
  2. The client queries the DNS server – “What is the IP address of www.example.ca?”
  3. The DNS responds to the client query with “The IP address of www.example.ca is 2.2.2.2” – not the real IP address nor the “right” cryptographic key.
  4. The client is prevented from connecting to the host at 2.2.2.2 – as the expected cryptographic validation is not correct. The user has been protected.

DNSSEC helps protect the client by providing a cryptographic key for the associated DNS record. If the attacker attempts to compromise the record it just results in a bad DNS entry and the DNS cryptographic key will be false. When a lookup is attempted it will notify the user that the DNS entry is invalid. The client is prevented to access the rogue web site which in most cases can lead to a compromise of user data or credentials.

Can I register a .CA domain name that is DNSSEC enabled?

Yes, a number of Registrars are currently enabling their customers to sign their websites DNS, consult with our .CA MarketPlace for a full list.