Domain signature (DNSSEC)
What's the Domain Name System?
The Domain Name System (DNS) is like the address book of the internet. It translates the name of your website to the actual IP address.
As the original DNS was not built with security in mind, malicious actors found ways to intercept people looking up a website or sending an email, and divert traffic. As a result, people were visiting unauthentic websites (and possibly making payments) or corresponding with email addresses hosted by imposters.
The DNS security extensions (DNSSEC) add cryptographic signatures to existing domain name records. These digital signatures are stored in DNS name servers alongside common public records like A, AAAA, MX, and CNAME.
By using DNSSEC the signature associated with your domain name can be checked. This allows your browser to verify that information they lookup from your website name is genuine, and that it comes from the original, verified, source.
For a detailed (technical) description of how DNSSEC works, please read this documentation from Cloudflare.
Incidents that could have been prevented with use of DNSSEC
It's nearly impossible to prove a causal relationship between cybersecurity incidents and the absence of a protocol such as DNSSEC. However, at the link below you find reports of actual incidents that could have been prevented - or consequences mitigated - if DNSSEC would have been used.
- A Deep Dive on the Recent Widespread DNS Hijacking Attacks
- Australian Institute of Criminology, Criminal misuse of the Domain Name System
- Microsoft, DNSSEC in Windows
- Alison Howe, Internet hijacking: it’s nothing personal
DNSSEC for the Australian government
In April 2019, the domain for Australian government agencies (.gov.au was "signed" with DNSSEC. This means that someone looking up information from official Australian government websites can be assured the website is original and the information is authentic.
What can you do?
To enable DNSSEC properly you need some assistance from your domain name registrar and web hosting provider.
First, DNSSEC needs to be set up at the top level domain. This is the case for .au, .com.au, .org.au and 14 more second-level domains. See here for more information.
Then you need to check if your domain name registrar supports the set up of secure records for your domain; and finally your hosting provider needs to enable DNSSEC.
We consider the use of DNSSEC very important, but unfortunately only a limited number of providers currently support it.
Examples of domain registrars and hosting providers include:
- Encryption & authenticity of web server
- Encryption & authenticity of email
- Protection against email phishing
- Security of website applications
- Security of domain name (DNSSEC)
- Adoption of Internet Protocol v6