DNSSEC Configuration

The Domain Name System (DNS) translates human-friendly domain names into IP addresses, allowing users to access websites. However, DNS was not originally designed with inherent security features, meaning it lacks mechanisms to ensure the authenticity of DNS responses. Without these security measures, users may be redirected to malicious websites rather than the intended destination.

DNSSEC (Domain Name System Security Extensions) was introduced to address this security gap. It verifies the authenticity of DNS data using Public Key Infrastructure (PKI). Note that DNSSEC focuses on authentication and integrity—it does not encrypt DNS queries or responses.

VergeCloud, as an authoritative DNS service, provides DNSSEC support to help safeguard your domain against DNS spoofing attacks, enhancing the security of your website and protecting your users.

How Does DNSSEC Work?

Traditional DNS lacks protection mechanisms to verify the legitimacy of the data it processes. DNSSEC helps address this by using digital signatures to authenticate DNS responses, ensuring users receive genuine data and are not misled by unauthorized servers.

Below is an overview of how DNSSEC works after activation:

1. The user enters www.example.com in their browser. The browser first checks its cache for a corresponding IP address. If unavailable, it sends a request to the configured DNS server, also called the Recursive Resolver.
2. The Recursive Resolver, typically provided by the user's ISP, searches its cache for the desired IP address. If it cannot find it, it queries a root DNS server.
3. The root server responds by providing the IP address of the relevant Top-Level Domain (TLD) server, along with a Delegation Signer (DS) record for validation.
4. The recursive resolver then queries the TLD server for the IP address of the domain.
5. The TLD server returns the IP addresses of VergeCloud's authoritative DNS servers and a DS record to aid in DNSSEC validation.
6. Next, the recursive resolver sends a request to VergeCloud's DNS server for the domain-specific records.
7. VergeCloud’s DNS server responds with the requested records, including RRSIG and DNSKEY records, allowing the recursive resolver to verify authenticity.
8. Once validated, the recursive resolver sends the IP address for www.example.com back to the browser, which then connects to the website securely.

Activating DNSSEC for VergeCloud Users

Before enabling DNSSEC, ensure that your domain registrar and TLD provider support this feature. To activate DNSSEC in VergeCloud:

1. Navigate to the DNS Records section within the CDN settings of your VergeCloud dashboard, and enable the DNSSEC option.
2. After activation, a window will open displaying the DS record in text format, containing the following components:
• Key Tag: A unique identifier for the DNSSEC key.
• Algorithm: The algorithm used to sign DNS data.
• Digest Type: The hash function used to generate the digest for the DS record.
• Digest: The hash value of the DNSKEY record, ensuring data integrity.

Enter the DS record details into your domain registrar’s panel to complete the DNSSEC activation process.

Enabling DNSSEC via API

You can also activate DNSSEC using VergeCloud’s API. Below is an example request to enable DNSSEC:

curl --location --request PUT 'https://api.vergecloud.com/domains/example.com/dns-records/dnssec/actions' \
--header 'Authorization: Bearer API_KEY' \
--header 'Content-Type: application/json' \
--data '{"enable":true}'

To disable DNSSEC, change the enable value to false in the API request.

Key Considerations for DNSSEC

• Verify that your domain registrar and TLD provider support DNSSEC before attempting activation.
• Accurately enter the DS record information in your registrar’s panel to establish a proper chain of trust.
• It may take up to 48 hours for DNSSEC settings to propagate globally, so plan accordingly.

Testing DNSSEC Activation

Once DNSSEC is enabled, verify its configuration by running the dig command with the +dnssec flag to view DNSSEC-specific records:

dig +dnssec example.com

Sample Test Output

; <<>> DiG 9.16.1-Ubuntu <<>> +dnssec example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54321
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;example.com.                   IN      A

;; ANSWER SECTION:
example.com.            3600    IN      A       203.0.113.20
example.com.            3600    IN      RRSIG   A 13 2 3600 20241001000000 20240901000000 12345 example.com. abcdef123456

;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Sep 26 15:50:12 UTC 2024
;; MSG SIZE  rcvd: 150

DNSSEC Configuration

The Domain Name System (DNS) translates human-friendly domain names into IP addresses, allowing users to access websites. However, DNS was not originally designed with inherent security features, meaning it lacks mechanisms to ensure the authenticity of DNS responses. Without these security measures, users may be redirected to malicious websites rather than the intended destination.

DNSSEC (Domain Name System Security Extensions) was introduced to address this security gap. It verifies the authenticity of DNS data using Public Key Infrastructure (PKI). Note that DNSSEC focuses on authentication and integrity—it does not encrypt DNS queries or responses.

VergeCloud, as an authoritative DNS service, provides DNSSEC support to help safeguard your domain against DNS spoofing attacks, enhancing the security of your website and protecting your users.

How Does DNSSEC Work?

Traditional DNS lacks protection mechanisms to verify the legitimacy of the data it processes. DNSSEC helps address this by using digital signatures to authenticate DNS responses, ensuring users receive genuine data and are not misled by unauthorized servers.

Below is an overview of how DNSSEC works after activation:

1. The user enters www.example.com in their browser. The browser first checks its cache for a corresponding IP address. If unavailable, it sends a request to the configured DNS server, also called the Recursive Resolver.
2. The Recursive Resolver, typically provided by the user's ISP, searches its cache for the desired IP address. If it cannot find it, it queries a root DNS server.
3. The root server responds by providing the IP address of the relevant Top-Level Domain (TLD) server, along with a Delegation Signer (DS) record for validation.
4. The recursive resolver then queries the TLD server for the IP address of the domain.
5. The TLD server returns the IP addresses of VergeCloud's authoritative DNS servers and a DS record to aid in DNSSEC validation.
6. Next, the recursive resolver sends a request to VergeCloud's DNS server for the domain-specific records.
7. VergeCloud’s DNS server responds with the requested records, including RRSIG and DNSKEY records, allowing the recursive resolver to verify authenticity.
8. Once validated, the recursive resolver sends the IP address for www.example.com back to the browser, which then connects to the website securely.

Activating DNSSEC for VergeCloud Users

Before enabling DNSSEC, ensure that your domain registrar and TLD provider support this feature. To activate DNSSEC in VergeCloud:

1. Navigate to the DNS Records section within the CDN settings of your VergeCloud dashboard, and enable the DNSSEC option.
2. After activation, a window will open displaying the DS record in text format, containing the following components:
• Key Tag: A unique identifier for the DNSSEC key.
• Algorithm: The algorithm used to sign DNS data.
• Digest Type: The hash function used to generate the digest for the DS record.
• Digest: The hash value of the DNSKEY record, ensuring data integrity.

Enter the DS record details into your domain registrar’s panel to complete the DNSSEC activation process.

Enabling DNSSEC via API

You can also activate DNSSEC using VergeCloud’s API. Below is an example request to enable DNSSEC:

curl --location --request PUT 'https://api.vergecloud.com/domains/example.com/dns-records/dnssec/actions' \
--header 'Authorization: Bearer API_KEY' \
--header 'Content-Type: application/json' \
--data '{"enable":true}'

To disable DNSSEC, change the enable value to false in the API request.

Key Considerations for DNSSEC

• Verify that your domain registrar and TLD provider support DNSSEC before attempting activation.
• Accurately enter the DS record information in your registrar’s panel to establish a proper chain of trust.
• It may take up to 48 hours for DNSSEC settings to propagate globally, so plan accordingly.

Testing DNSSEC Activation

Once DNSSEC is enabled, verify its configuration by running the dig command with the +dnssec flag to view DNSSEC-specific records:

dig +dnssec example.com

Sample Test Output

; <<>> DiG 9.16.1-Ubuntu <<>> +dnssec example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54321
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;example.com.                   IN      A

;; ANSWER SECTION:
example.com.            3600    IN      A       203.0.113.20
example.com.            3600    IN      RRSIG   A 13 2 3600 20241001000000 20240901000000 12345 example.com. abcdef123456

;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Sep 26 15:50:12 UTC 2024
;; MSG SIZE  rcvd: 150