Understanding DNSSEC first requires basic knowledge of how the DNS system works.
The DNS is used to translate domain names (like example.com) into numeric Internet addresses (like 18.104.22.168).
Although this address system is very efficient for computers to read and process the data, it is extremely difficult for people to remember. Let’s say that every time when you need to check a website, you should remember the IP address of the machine where it is located. People often call the DNS system the “phone book of the Internet”.
To solve this problem, a numeric IP address was attached to every domain name. The website addresses we know are actually domain names.
Domain name information is stored and accessed on special servers, known as domain name servers, that convert domain names into IP addresses and vice versa.
The top level of the DNS resides in the root zone where all IP addresses and domain names are kept in databases and sorted by top-level domain name, such as .com, .net, .org, etc.
When the DNS was first implemented, it was not secured, and soon after being put into use, several vulnerabilities were discovered. As a result, a security system was developed in the form of extensions that could be added to the existing DNS protocols.
Domain name system security extensions (DNSSEC) are a set of protocols that add a layer of security to the domain name system (DNS) lookup and exchange processes, which have become integral in accessing websites through the Internet.
How it works?
In general, DNSSEC is aimed at strengthening trust in the Internet by helping to protect users from redirection to fraudulent websites and unintended addresses. In such a way, malicious activities like cache poisoning, pharming, and man-in-the-middle attacks can be prevented.
The original purpose of DNSSEC was to protect Internet clients from counterfeit DNS data by verifying digital signatures embedded in the data.
When a visitor enters the domain name in a browser, the resolver verifies the digital signature.
If the digital signatures in the data match those that are stored in the master DNS servers, then the data is allowed to access the client computer making the request.
The DNSSEC digital signature ensures that you're communicating with the site or Internet location you intended to visit.
DNSSEC uses a system of public keys and digital signatures to verify data. It simply adds new records to DNS alongside existing records. These new record types, such as RRSIG and DNSKEY, can be retrieved in the same way as common records such as A, CNAME and MX.
These new records are used to digitally “sign” a domain, using a method known as public key cryptography.
A signed nameserver has a public and private key for each zone. When someone makes a request, it sends information signed with its private key; the recipient then unlocks it with the public key. If a third party tries to send untrustworthy information, it won’t unlock properly with the public key, so the recipient will know the information is bogus.
Note that DNSSEC does not provide data confidentiality because it does not include encryption algorithms. It only carries the keys required to authenticate DNS data as genuine or genuinely not available.
Also, DNSSEC does not protect against DDoS Attacks.