Web security: DNSSEC

First post in the web security series.

The first thing your users' browser do when going to your website is to ask a DNS server where your site is. Since DNS has been built for scalability, the request will not go to your DNS server but to a local one which may have been corrupted (DNS cache poisoning…).

In order to detect that kind of issue, the DNS protocol has been extended with DNSSEC. The idea is that your entries in your DNS server are signed and the public key is published in your DNS so the DNS client can verify that the entry it received has the right signature (which prooves that the entry contains unmodified data).

DNS being a hierarchy, higher domains have to support DNSSEC too. So if your domain is example.com, .com also needs to support DNSSEC. Not all top level domains support DNSSEC.

The bad news is that DNSSEC is not yet widely deployed nor supported. Web browsers don't support it natively yet but there are some add-ons to do the job. For instance for firefox there is the DNSSEC/TLSA Validator add-on that will display a icon in the address bar if the website your are visiting has DNSSEC enabled and if it's properly validated. People at Mozilla are working to support DNSSEC natively in firefox.

You can check online that your DNSSEC is properly configured: http://dnssec-debugger.verisignlabs.com

It would be nice in the future that web browsers check DNSSEC and display unsecure connections as they currently do for invalid TLS certificates.

Note:

DNS is insecure, DNSSEC makes it somewhat a bit more secure but it's no silver bullet. DNS should be replaced… it's definitely not going to happen anytime soon.