Corporate news

Why DNSSEC is essential for protecting domain names

Being able to properly manage a domain name’s DNS (Domain Name System) is essential for ensuring a business’s websites and web applications are available and trustworthy. Certain cyberattacks related to DNS can have major consequences in terms of brand image and economic performance since they can easily translate into the loss of users, the theft of users’ identifying information, downtime for your website, and frustration for your users. By activating the DNSSEC security protocol on your domain names, you’re able to ensure that DNS data is authenticated and secured to avoid any falsification of your DNS records and thereby strengthen your domain name’s security.

Despite all that, using this ICANN-recommended feature is not something a large majority of businesses prioritize. Let’s learn why and demystify the technical aspects of the DNSSEC protocol.

How DNSSEC enables you to secure domain names

DNSSEC is a protocol that enables you to cryptographically sign information exchanged at the level of nameservers using public key cryptography. It establishes a “chain of trust” that extends to the DNS root, securing data sent by various DNS servers.

These data are authenticated from end-to-end, which guarantees the authenticity of responses. A bad actor is then prevented from breaking the chain of trust.

Illustration du service DNSSEC
Illustration of DNSSEC

Activating DNSSEC protects from the abuse of DNS data, also known as DNS hijacking, and enables you to ensure, for example, that your site’s traffic isn’t redirected to a fraudulent website looking to steal data. Activating DNSSEC is also a best practice recommended by ANSSI (Agence Nationale de la Sécurité des Systèmes d’Informations, the French agency for the security of information systems) for domain name security.

How does DNSSEC work?

DNSSEC works using a signature using public key cryptography via the following procedure:

  1. The domain owner generates a pair of keys
  2. They send the public key to their domain registrar
  3. The registrar sends the keys to the domain’s Registry
  4. The Registry signs and publishes them

The process, then, is close to the one used for SSL/TLS certificates, which are generated by website administrators, and whose public part is sent to and signed by a certification authority (CA).

DNSSEC, in fact, acts as an add-on to HTTPS: DNSSEC assures an internet user is sent to your web server, and the SSL certificate guarantees the security of any data exchanged with your website.

Why is DNSSEC still not used by the majority of businesses?

Despite the assurance of a higher level of security, activating DNSSEC is still very restricted, even in large businesses. For example, among CAC40 businesses, less than 5 companies use this security protocol.

The reasons are simple to understand.

First of all, manual implementation of DNSSEC is a relatively complex process. But mostly, this protocol requires regular maintenance operations (managing KSK/ZSK key changes) whose complexity is the main argument against DNSSEC. Especially since the smallest technical error can result in serious repercussions with regards to a site’s availability.

To meet these challenges, Gandi Corporate Services has automated most of the implementation procedure in order to enable businesses to benefit from the higher level of security offered by DNSSEC, without increasing the complexity.

How Gandi Corporate Services simplifies DNSSEC activation on a domain name

With Gandi Corporate Services, the entire DNSSEC chain can be activated in a single click, without you having to generate your own cryptographic keys.

By activating DNSSEC on a Gandi Corporate Services domain name, you can also:

  1. Sign your zones with LiveDNS
  2. Automatically publish keys to the Registry if you use our DNS servers
  3. Automate key rollover if you use a third-party DNS service following the “Third Party DNS operator to Registrars/Registries Protocol.”

Watch our video tutorial for step-by-step instructions:

DNS record corruption and compromise is a reality businesses should try to protect themselves from. When you activate DNSSEC on your domain names, you ensure that DNS data is authenticated and secured and that your site’s traffic isn’t redirected to a fraudulent site looking to steal your customers’ data.

If you have any questions or need help activating DNSSEC, please feel free to contact the Gandi Corporate Services team at corporatecontact@gandi.net.