Registrars
DNSSEC
What is DNSSEC?
Vulnerabilities in the Domain Name System (DNS) suggest that an attacker may be able to hijack the process of looking up a website using a domain name (the “directory lookup”). The purpose of this type of attack is to take control of the session with an aim of sending the user to the hijacker’s own deceptive website for purposes of collecting account and password information (phishing).
The Domain Name Security (DNSSEC) extension is a technology based on an open standard specification that provides both the end user and the provider of Internet domain name related services with the assurance that a domain name address is indeed correct and can be trusted.
What are the benefits of DNSSEC?
Full deployment of DNSSEC throughout the domain name system will ensure that the end user is connecting to the actual website or other service corresponding to a particular domain name. Although this will not solve all the security problems of the Internet, it does protect a critical piece of it – the directory lookup – complementing other technologies such as SSL (https:) that protects the “conversation”.
How does it work?
DNSSEC uses a “chain of trust” initiated from the top of the Internet domain name system (the “ROOT”) down to the actual domain name being used. This mechanism is used to verify that the requested domain name records are indeed correct and can be trusted.
DNSSEC extends the existing domain records to include a Digital Signature (DS). The DS is applied to a domain by its owner, which identifies a domain’s authenticity so that users may trust it. In order to be effective, DNSSEC must be deployed at each step in the domain lookup from root zone to final domain name.
What is ZA’s current position on DNSSEC?
ZADNA along with ZARC have adopted a prudent approach of implementing DNSSEC in a coordinated and uniform manner across the .ZA namespace, from the top level to second and third levels. A successful DNSSEC implementation not only requires the implementation of the necessary technical infrastructure, but also requires a suitable policy framework and an extensive awareness campaign directed at users and services providers within .ZA.
ZARC has published a Plan as well as a Policy and Practice Statement Framework to support DNSSEC in the .ZA namespace. The files are available for download below: