Making the internet secure sounds good but how is it actually being done. When we write the name of a website into a browser, this name is translated into an IP address. The system behind this process is called Domain Name System (DNS).
DNS acts like a hierarchical, distributed database that contains information about domain names. There are various types of information stored in a DNS database. Here is a list of all DNS record types.
Looking up IP addresses is done in stages. In the case of www.domain.com, there are three stages. First, the root zone is asked where to find information on “.com”. Then, the identified directory service is asked where to find information on “domain.com”. And, finally, the domain.com directory service is asked for the complete IP address of “www.domain.com”. The whole look-up process is completed very quickly.
The beauty of this system is that an end user doesn’t have to know the location or IP address of the computer he or she is trying to connect to. All that is necessary is the Uniform Resource Locator (URL) which is an easily remembered domain name. The rest is done automatically.
Unfortunately, DNS was first deployed without any security measures. This was quickly abused by malicious actors who exploited the system by redirecting end users to sites pretending to be the ones the end users wished to visit.
To remedy this problem, called DNS cache poisoning, a set of security measures called Domain Name System Security Extensions (DNSSEC) was implemented.
DNSSEC uses digital signatures for the validation of DNS responses. Successful validation proves that the data has not been tampered with.
The signatures for the root zone are updated bi-monthly at the so-called key signing key ceremony. To check out the 20th ceremony that starts today at 20:15 UTC, click here. Don’t worry, the ceremonies are archived and available to read and watch for free.
Liked this post?
Subscribe to our newsletter to receive early notification of new posts and deals: