Home / Blogs

DNS… Wait a SEC

DNSSEC (Domain Name System Security Extensions) is a set of specifications designed to prevent hackers from intercepting DNS queries and redirecting end users to spoofed sites through a technique known as Cache Poisoning. Complete DNSSEC implementation requires that domains are authenticated at the root by the Registry, and that DNS zones and records are authenticated as well.

Now before I go any further, let me begin by stating that I fully support the development and deployment of DNSSEC and that the vulnerabilities presented by Cache Poisoning are very real, especially for those websites collecting login credentials or other types of sensitive information.

However, DNSSEC is not the “end all, be all” Internet security solution that many believe it to be.

DNSSEC is addressing just one of the many Internet vulnerabilities that still exist today.

The impacts of Cache Poisoning are generally not as wide-spread and are considerably more difficult to detect relative to breaches that occur at the Registry-level or the Registrar-level which affect the global resolution of websites.

Take the Puerto Rican Registry as an example. In August of 2006, .PR announced that they would be the second ccTLD to deploy DNSSEC. While their deployment of DNSSEC certainly may have been helpful in thwarting potential Cache Poisoning attacks, assuming that zones and records were also signed, it did absolutely nothing to protect the .PR Registry when hackers exploited a SQL vulnerability to update and redirect name servers to politically motivated sites.

Other recent domain and DNS exploits include social engineering attacks to reset passwords, SQL attacks against registrars, and breached e-mail accounts to retrieve login credentials. Unfortunately, DNSSEC would not have prevented any of these attacks either.

So while DNSSEC certainly addresses vulnerabilities related to Cache Poisoning, I urge those with the responsibility for securing their presence online to not only implement DNSSEC for their highly-trafficked and valuable domains, but to also ensure that their domains are hardened against social engineering attacks via two-factor authentication, locked at the registry-level where available and continually monitored to remediate registry breaches when they do occur.

By Elisa Cooper, Head of Marketing, GoDaddy Corporate Domains

Filed Under


I'm sorry but just who claimed DNSSEC is a be all end all of security? Suresh Ramasubramanian  –  Apr 15, 2010 5:51 PM

People who work on operational security rather than product marketing, that is.

If anybody in such a role said so, I would be interested to hear that.


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix