How to Set Up DNSSEC on VergeCloud for Improved Website Security

DNSSEC Configuration

Overview

The Domain Name System (DNS) translates human-friendly domain names into IP addresses, allowing users to access websites. However, DNS was not originally designed with inherent security features, meaning it lacks mechanisms to ensure the authenticity of DNS responses. Without these security measures, users may be redirected to malicious websites rather than the intended destination.

DNSSEC (Domain Name System Security Extensions) was introduced to address this security gap. It verifies the authenticity of DNS data using Public Key Infrastructure (PKI). Note that DNSSEC focuses on authentication and integrity. It does not encrypt DNS queries or responses.

VergeCloud, as an authoritative DNS service, provides DNSSEC support to help safeguard your domain against DNS spoofing attacks, enhancing the security of your website and protecting your users.

How Does DNSSEC Work?

Traditional DNS lacks protection mechanisms to verify the legitimacy of the data it processes. DNSSEC helps address this by using digital signatures to authenticate DNS responses, ensuring users receive genuine data and are not misled by unauthorized servers.

How DNSSEC works after activation?

  1. The user enters www.example.com in their browser. The browser first checks its cache for a corresponding IP address. If unavailable, it sends a request to the configured DNS server, also called the Recursive Resolver.
  2. The Recursive Resolver, typically provided by the user's ISP, searches its cache for the desired IP address. If it cannot find it, it queries a root DNS server.
  3. The root server responds by providing the IP address of the relevant Top-Level Domain (TLD) server, along with a Delegation Signer (DS) record for validation.
  4. The recursive resolver then queries the TLD server for the IP address of the domain.
  5. The TLD server returns the IP addresses of VergeCloud's authoritative DNS servers and a DS record to aid in DNSSEC validation.
  6. Next, the recursive resolver sends a request to VergeCloud's DNS server for the domain-specific records.
  7. VergeCloud’s DNS server responds with the requested records, including RRSIG and DNSKEY records, allowing the recursive resolver to verify authenticity.
  8. Once validated, the recursive resolver sends the IP address for www.example.com back to the browser, which then connects to the website securely.

Activating DNSSEC for VergeCloud Users

Before enabling DNSSEC, ensure that your domain registrar and TLD provider support this feature. To activate DNSSEC in VergeCloud:
  1. Navigate to the DNS Records section within the CDN settings of your VergeCloud dashboard, and enable the DNSSEC option.
  2. After activation, a window will open displaying the DS record in text format, containing the following components:
  3. Key Tag: A unique identifier for the DNSSEC key.
  4. Algorithm: The algorithm used to sign DNS data.
  5. Digest Type: The hash function used to generate the digest for the DS record.
  6. Digest: The hash value of the DNSKEY record, ensuring data integrity.
 

Enter the DS record details into your domain registrar’s panel to complete the DNSSEC activation process.

Key Considerations for DNSSEC

  • Verify that your domain registrar and TLD provider support DNSSEC before attempting activation.
  • Accurately enter the DS record information in your registrar’s panel to establish a proper chain of trust.
  • It may take up to 48 hours for DNSSEC settings to propagate globally, so plan accordingly.

Testing DNSSEC Activation

Once DNSSEC is enabled, verify its configuration by running the dig command with the +dnssec flag to view DNSSEC-specific records:

  1. dig +dnssec example.com

Sample Test Output

  1. ; <<>> DiG 9.16.1-Ubuntu <<>> +dnssec example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54321
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;example.com.                   IN      A

;; ANSWER SECTION:
example.com.            3600    IN      A       203.0.113.20
example.com.            3600    IN      RRSIG   A 13 2 3600 20241001000000 20240901000000 12345 example.com. abcdef123456

;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Sep 26 15:50:12 UTC 2024
;; MSG SIZE  rcvd: 150

    • Related Articles

    • Getting Started

      Step-by-Step Guide: Configure Your Domain on VergeCloud Once you’ve created your VergeCloud account and signed in, you can proceed to set up your domain for CDN and security services. If you haven’t created an account yet, please start here: Account ...

    • DNS Setup

      Add/Edit DNS Records Changing your domain’s NS to those defined by VergeCloud activates your domain’s DNS service. All your DNS records must be entered into your VergeCloud account to be resolved by VergeCloud. This ensures that your subdomains load ...

    • Updating NS Records on Popular Registrar

      Overview This guide provides step-by-step instructions for updating your domain’s Nameserver (NS) records across several popular registrars. Since registrar interfaces may vary or change over time, use these instructions as a general reference when ...

    • How to Whitelist VergeCloud’s IP Addresses in Your Firewall

      Overview To ensure seamless communication between VergeCloud’s edge servers and your origin (main) server, it’s important to whitelist VergeCloud’s IP addresses in your firewall configuration. Doing so allows only trusted VergeCloud IPs to connect, ...

    • Smart Checker

      Overview VergeCloud’s Smart Checker helps you quickly verify your domain’s configuration, DNS setup, and SSL status. It automatically scans multiple connection parameters to ensure your domain is secure, properly routed through VergeCloud’s edge ...