DNSSEC

Stands for "Domain Name System Security Extensions." It is an extension of the standard domain name system (DNS), which translates domain names to IP addresses. DNSSEC improves security by validating the authenticity of the DNS data.

The original domain name system was developed in the 1980s with minimal security. For example, when a host requests an IP address from a name server using a standard DNS query, it assumes the name server is valid. However, a name server can pretend to be another server by spoofing (or faking) its IP address. A fake name server could potentially redirect domain names to the wrong websites.

DNSSEC provides extra security by requiring authentication with a digital signature. Each query and response is "signed" using a public/private key pair. The private key is generated by the host and the public key is generated by a DNS zone, or group of trusted servers. These servers create a chain of trust, in which they validate each other's public keys. Each DNSSEC-enabled name server stores its public key in a hashed "DNSKEY" DNS record.

Enabling DNSSEC

While DNSSEC is not required for web servers or mail servers, many web hosts recommend it. To configure DNSSEC, you must use a nameserver that supports it, like PowerDNS or Knot DNS. Then you must enable DNSSEC on your server and configure it within the control panel interface.

If you are using a public nameserver, activating DNSSEC up may be as simple as clicking "Enable DNSSEC." If you are using a custom name server, you may need to manually create one or more delegation signer (DS) records. After you have enabled DNSSEC, it may take several hours to activate since the server must validate the DS records with other servers within the DNS zone.

Updated June 27, 2020 by Per C.

quizTest Your Knowledge

Which of the following is a standard model for transferring data over the web?

A
RDF
0%
B
EUP
0%
C
SRE
0%
D
WPA
0%
Correct! Incorrect!     View the RDF definition.
More Quizzes →

The Tech Terms Computer Dictionary

The definition of DNSSEC on this page is an original definition written by the TechTerms.com team. If you would like to reference this page or cite this definition, please use the green citation links above.

The goal of TechTerms.com is to explain computer terminology in a way that is easy to understand. We strive for simplicity and accuracy with every definition we publish. If you have feedback about this definition or would like to suggest a new technical term, please contact us.

Sign up for the free TechTerms Newsletter

How often would you like to receive an email?

You can unsubscribe or change your frequency setting at any time using the links available in each email.

Questions? Please contact us.