The Neustar domain name registry is invested in the constant evolution of a secure, robust Internet experience. As new opportunities present themselves, Neustar responds in a methodical, but timely, manner with industry participation, as well as new product and service offerings.

DNSSEC (Domain Name Security Extensions) is a set of extensions to the Domain Name System (DNS). It provides an authenticated DNS query response that is passed through what is called a “chain of trust.” By adding a digital signature to DNS data, DNSSEC addresses a specific DNS vulnerability that exposes Internet users to cache poisoning attacks.

What is the vulnerability in the DNS?

The efficient work of storing a response that functions as a mid-way point between an end user’s computer and an authoritative server is performed by a caching name server, usually operated by an ISP (Internet Service Provider). The DNS was designed to allow this caching server to accept the first response it receives. It is possible, without the verification provided by DNSSEC authentication, for a malicious user to flood this caching name server with a spoofed response that is, most often, intended to dupe the end user into providing personal and or financial information to what appears to be his or her intended destination.

The result is that the caching name server does not just pass this spoofed response to the end user who initiated the query, but to any other user whose request for the same address passes through that same ISP’s caching system. Normally, a cached response expires after a reasonably short period of time – 24-48 hours. However, the malicious user is able to set an expiration date on the cached response that permits it to be displayed for a much longer time, increasing the likelihood that many more users will interact with the spoofed response.

How does DNSSEC work?

DNSSEC works through a system of keys. At each stage in supplying a DNS query response through the chain that takes it back to the initiator’s machine, a known key and a private key must be matched. In this way, the response to the query is authenticated and the response validated.

For more information on how keys work, please see: http://www-x.antd.nist.gov/dnssec/800-81.html#_Toc131575846

How do registrants DNSSEC-enable their domain names?

1. Contact their DNS service provider where a key is generated.
2. DNS provider sends key to registry.
3. Registry enters that key into the zone for that TLD.