How to Set Up DNSSEC on VergeCloud for Improved Website Security

DNSSEC Configuration

Overview

The Domain Name System (DNS) translates human-friendly domain names into IP addresses, allowing users to access websites. However, DNS was not originally designed with inherent security features, meaning it lacks mechanisms to ensure the authenticity of DNS responses. Without these security measures, users may be redirected to malicious websites rather than the intended destination.

DNSSEC (Domain Name System Security Extensions) was introduced to address this security gap. It verifies the authenticity of DNS data using Public Key Infrastructure (PKI). Note that DNSSEC focuses on authentication and integrity. It does not encrypt DNS queries or responses.

VergeCloud, as an authoritative DNS service, provides DNSSEC support to help safeguard your domain against DNS spoofing attacks, enhancing the security of your website and protecting your users.

How Does DNSSEC Work?

Traditional DNS lacks protection mechanisms to verify the legitimacy of the data it processes. DNSSEC helps address this by using digital signatures to authenticate DNS responses, ensuring users receive genuine data and are not misled by unauthorized servers.

How DNSSEC works after activation?

  1. The user enters www.example.com in their browser. The browser first checks its cache for a corresponding IP address. If unavailable, it sends a request to the configured DNS server, also called the Recursive Resolver.
  2. The Recursive Resolver, typically provided by the user's ISP, searches its cache for the desired IP address. If it cannot find it, it queries a root DNS server.
  3. The root server responds by providing the IP address of the relevant Top-Level Domain (TLD) server, along with a Delegation Signer (DS) record for validation.
  4. The recursive resolver then queries the TLD server for the IP address of the domain.
  5. The TLD server returns the IP addresses of VergeCloud's authoritative DNS servers and a DS record to aid in DNSSEC validation.
  6. Next, the recursive resolver sends a request to VergeCloud's DNS server for the domain-specific records.
  7. VergeCloud’s DNS server responds with the requested records, including RRSIG and DNSKEY records, allowing the recursive resolver to verify authenticity.
  8. Once validated, the recursive resolver sends the IP address for www.example.com back to the browser, which then connects to the website securely.

Activating DNSSEC for VergeCloud Users

Before enabling DNSSEC, ensure that your domain registrar and TLD provider support this feature. To activate DNSSEC in VergeCloud:
  1. Navigate to the DNS Records section within the CDN settings of your VergeCloud dashboard, and enable the DNSSEC option.
  2. After activation, a window will open displaying the DS record in text format, containing the following components:
  3. Key Tag: A unique identifier for the DNSSEC key.
  4. Algorithm: The algorithm used to sign DNS data.
  5. Digest Type: The hash function used to generate the digest for the DS record.
  6. Digest: The hash value of the DNSKEY record, ensuring data integrity.
 

Enter the DS record details into your domain registrar’s panel to complete the DNSSEC activation process.

Key Considerations for DNSSEC

  • Verify that your domain registrar and TLD provider support DNSSEC before attempting activation.
  • Accurately enter the DS record information in your registrar’s panel to establish a proper chain of trust.
  • It may take up to 48 hours for DNSSEC settings to propagate globally, so plan accordingly.

API Reference

The DNSSEC API helps you check the current DNSSEC status for your domain and update it when needed. It lets you verify whether DNSSEC is enabled and allows you to activate or deactivate it directly through the API.

Testing DNSSEC Activation

Once DNSSEC is enabled, verify its configuration by running the dig command with the +dnssec flag to view DNSSEC-specific records:

  1. dig +dnssec example.com

Sample Test Output

  1. ; <<>> DiG 9.16.1-Ubuntu <<>> +dnssec example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54321
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;example.com.                   IN      A

;; ANSWER SECTION:
example.com.            3600    IN      A       203.0.113.20
example.com.            3600    IN      RRSIG   A 13 2 3600 20241001000000 20240901000000 12345 example.com. abcdef123456

;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Sep 26 15:50:12 UTC 2024
;; MSG SIZE  rcvd: 150

    • Related Articles

    • Getting Started

      Overview Once you’ve created your VergeCloud account and signed in, you can proceed to set up your domain for CDN and security services. If you haven’t created an account yet, please start here: Account Creation and Sign In Guide The following steps ...

    • DNS Setup

      Overview When you change your domain’s Nameservers (NS) to VergeCloud, your domain becomes active on VergeCloud DNS. From this point forward, all DNS records must be added and managed through the VergeCloud dashboard to ensure your domain and ...

    • Updating NS Records on Popular Registrar

      Overview This guide provides step-by-step instructions for updating your domain’s Nameserver (NS) records across several popular registrars. Since registrar interfaces may vary or change over time, use these instructions as a general reference when ...

    • Install SSL Certificate on NGINX webserver

      Overview To secure connections between VergeCloud and your backend, you must install an SSL certificate on your NGINX server. This is one of the most important steps in ensuring that all data passing between VergeCloud and your server remains ...

    • Install SSL Certificate on Apache

      Overview To secure connections on your server, it is essential to install an SSL certificate on your Apache server. Doing this ensures that all communication between VergeCloud and your backend infrastructure is encrypted, protected from ...