Authenticating the internet from end-to-end.


The Internet Engineering Task Force (IETF) has been working for more than 15 years to develop a workable standard for the domain name system security extensions (DNSSEC). DNSSEC protects the internet community from forged DNS data by using public key cryptography to digitally sign authoritative zone data when it comes into the system and then validate it at its destination. Learn more about public key cryptography.

Digital signing helps assure users that the data originated from the stated source and that it was not modified in transit. DNSSEC can also establish that a domain name does not exist. These capabilities are essential to maintaining trust in the internet.

In DNSSEC, each zone has a public/private key pair. The zone's public key is published using DNS, while the zone's private key is kept safe and ideally stored offline. A zone's private key signs individual DNS data in that zone, creating digital signatures that are also published with DNS.

DNSSEC uses a rigid trust model and this chain of trust flows from parent zone to child zone. Higher-level (parent) zones sign, or vouch for, the public keys of lower-level (child) zones. The authoritative name servers for these various zones may be managed by registrars, internet service providers (ISPs), web hosting companies, or registrants themselves.

When an end user wants to access a website, a stub resolver on the user's computer requests the website's IP address from a recursive name server. After the server requests this record, it also requests the DNSSEC key associated with the zone. This key allows the server to verify that the IP address record it receives is identical to the record on the authoritative name server.

If the recursive name server determines that the address record has been sent by the authoritative name server and has not been altered in transit, it resolves the domain name and the user can access the site. This process is called validation. If the address record has been modified or is not from the stated source, the recursive name server does not allow the user to reach the fraudulent address. DNSSEC can also prove that a domain name does not exist. As a result of this process, DNS queries and responses are protected from man-in-the-middle (MITM) attacks and the kind of forgeries that could possibly redirect internet users to phishing and pharming sites.