What is DNSSEC?
DNS Security Extensions (DNSSEC) is a security protocol designed to address vulnerabilities within the
Domain Name System (DNS). It enhances security by digitally signing data to verify its authenticity.
This signing process must occur at every level of the DNS lookup to ensure secure resolution.
DNSSEC establishes a chain of trust that extends up to the root zone. This chain must remain intact at
every layer of the DNS; if any layer is compromised, it could expose requests to on-path attacks.
DNSSEC strengthens DNS authentication by using digital signatures based on public key cryptography.
Instead of cryptographically signing the DNS queries and responses themselves, DNSSEC signs the DNS data
by its owner. See
Cloudflare documentation on DNSSEC.
Every DNS zone possesses a public/private key pair. The zone owner uses the zone's private key to sign
DNS data within the zone and generate digital signatures for that data. As implied by the term "private
key," this key is kept secret by the zone owner. Conversely, the zone's public key is published within
the zone for anyone to access. Any recursive resolver that looks up data in the zone also retrieves the
zone's public key to validate the authenticity of the DNS data. The resolver checks if the digital
signature of the retrieved DNS data is valid. If it is valid, the DNS data is considered legitimate and
is returned to the user. If the signature fails to validate, the resolver assumes an attack has
occurred, discards the data, and returns an error to the user.
LicenseDNS utilizes the domain
q.licensedns.net for licensing actions, ensuring it is secure from
the root level. Consequently, all queries under q.licensedns.net are secured cryptographically. You can
check the status on
DNSViz
and
DNSDebugger.