DNSSEC: What are your feelings on this?

[bb1webs]

Thanks for coming in.

DNSSEC : what I know of it in my brief research has been its there to prevent some sort of hacking/bad stuff happening to your website.

It has to do with nameservers if I am not mistaken.

What I am most concerned about is are people going to be afraid to come to my site if I don't have this stuff?

I stumbled upon this at godaddy. I assume its something used at all registars but maybe godaddy just made it up.

anybody know?

 

[michael26a]

This is what I can gather on the concept of DNSSEC, from en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

-"The original design of DNS did not include security"
-"DNSSEC adds security to your DNS settings (and prevents DSN cache poisoning)"

From wikipedia: "To perform a cache poisoning attack, the attacker exploits a flaw in the DNS software. If the server does not correctly validate DNS responses to ensure that they are from an authoritative source (for example by using DNSSEC) the server will end up caching the incorrect entries locally and serve them to other users that make the same request."

From wikipedia: "This technique can be used to direct users of a website to another site of the attacker's choosing."

This actually happened to one of my websites once. I found that my websites kept redirecting to a strange attack site (because my DNS was hacked into).

If your websites are hosted with an extremely reliable server, then you don't have to worry about this. This is the job of your hosting company to implement these security measures I use hostgator.com and don't have any problems.

 

[Vladi]

This actually happened to one of my websites once. I found that my websites kept redirecting to a strange attack site (because my DNS was hacked into).

I think you have probably confused what happened to you with a DNS poisoning attack, which is very unlikely. What is more likely is that your domain account was hacked into and they changed your DNS server addresses there. DNSSEC would not prevent that as any changes to your settings made in your legitimate account would still be authorised by upstream DNS servers.

A cache poisoning attack attack comes from the other direction - an attacker inserts forged values for the DNS for your domain in the higher level DNS servers which then cache those values instead of the ones you have set in your account. You would look at your account and the settings would still be correct but they would simply be ignored.

DNS cache poisoning is a fairly sophisticated attack and one an average webmaster has very little reason to be worried about. Ignore the GoDaddy sales pitch, they are masters at cross selling stuff that people don't need.