DNSSEC

Last change on 2021-03-15 • Created on 2020-03-25 • ID: DN-5A3F0

Introduction

Domain Name Security Extensions (DNSSEC) are an extension of the DNS (Domain Name System), whose goal it is to increase security in the Internet by addressing problems such as cache poisoning, DNS spoofing, and DNS hijacking.

Terms

  • Key Signing Key (KSK) – This generates a digital signature for the zone signing key (ZSK).
  • Zone Signing Key (ZSK) – This generates signatures (or a Resource Record Signature – RRIG) for records in a zone.

The public part of both keys is stored as a DNSKEY record in the zone itself.

  • DNSKEY – is the record type for KSK and ZSK. Several ZSK and KSKs can (and must) be stored at the same time.
  • RRSIG - Signature for a record
  • DS - Delegation Signer Record – contains the digest for KSK public keys

DNSSEC and Hetzner Online

We consider DNSSEC to be a useful feature to improve the level of security in technology that uses DNS.

However, the implementation of DNSSEC requires extensive adaptations and adjustments to several of our systems. DNSSEC needs to be integrated into our administration interface, into the interfaces to all of the relevant domain registries, and also into our name servers.

For this reason, we cannot support DNSSEC at this point in time. As soon as there is news regarding DNSSEC at Hetzner Online, we will make an announcement via our customer newsletter.

Written on 1 October 2014. Translated into English 12 April 2017.

DANE (DNS-based Authentication of Named Entities), and a few others are additional resource records which are built upon DNSSEC and provide additional features for clients and certificate authorities for domain and certificate validation.

Those record types therefore do not have anything to do with DNSSEC itself, but gain additional value if used in combination with a DNSSEC signed zone. Without DNSSEC, the receiver of a DNS record has no way of verifying it. Therefore DANE, and other DNSSEC-related record types do not improve security in a meaningful way without being able to first verify the DNS record.

Therefore it is not logical for us to try to support DANE until we have fully implemented DNSSEC itself in our infrastructure.

Update 12 April 2017

At this point in time, we have made some progress in laying the foundations for implementing DNSSEC. However, before we are able to offer our customers DNSSEC, we must still make some additional large adjustments. For this reason, we will not be supporting DNSSEC in the near future.

Update 7 November 2017

CAA Resource Records are available for Robot (primary and slave) and konsoleK administered zones.

Update 17 October 2018

When we wrote this article, we were in the early planning stages of investigating if we could implement DNSSEC in an effective manner. Upon further investigation, we have determined that it would be difficult for us to implement DNSSEC. And the demand has not increased. For that reason, we are not currently planning to implement DNSSEC. However, should demand increase, we are open to reconsidering this decision in the future.

Table of Contents