Vulnerabilities in the DNS were allows an attacker to take control of the session to send the user to the their own fraudulent web site for account and password collection. It is, indeed just one example. We already discussed about session hijacking, DNS spoofing like exploits. DNS Security Extensions (DNSSEC) Secures the Infrastructure. Here is How to Enable DNSSEC With Dyn & Domain Register For Higher Security. DNSSEC signs all the DNS resource records – A, MX, CNAME of a zone using Public Key Infrastructure (PKI). DNSSEC enabled DNS resolvers can verify the authenticity of a DNS reply having an IP address using the public DNSKEY record. It does not mean that a determined hacker can not break it.
How to Enable DNSSEC With Dyn For Higher Security : Who Should Use
It is expected to be used by all the professional content publishing websites (blogs, forums), e-commerce websites, social networks, free software distribution mirrors, financial organizations etc. along with other security measures for the domain and server including HSTS.
How to Enable DNSSEC With Dyn For Higher Security
What exactly we need to do
---
Generate DNSSEC related stuffs fully from graphical web interface of Dyn and then add it to Domain Register’s server. Thus, from root server, DNS server to website’s server – all becoming authoritative.
Steps to Enable DNSSEC With Dyn and ClickandName/Tucows
ClickandName/Tucows, GoDaddy as Domain Registers allows to add DS record on root server which was generated by the user on DNS Server (read Dyn). We normally setup Dyn’s DNS service. Once we add the domain to Dyn’s system as a new Zone, we get a screen showing the zones we are managing under “Zone Options” as “DNSSEC”. Few clicks generate the required stuffs. There is nothing to do more on Dyn than to press the “Add DNSSEC” button.
Our domain now is DNSSEC signed and you’ll now see that you have a yellow key icon in the “Status” line for your domain.
Time to time, this process on Dyn can take 4-7 days to fully get completed (can be seen by clicking “View task timeline” hyperlink). In such case, the keys and record will remain as “Generating…” status. Except waiting, there is nothing to do.
After the above step is completed, in “DNSSEC” tab, there will be the section named “Delegation Signer Records” (DS Records). We need to copy-paste this record to ClickandName/Tucows or VeriSign or GoDaddy which we are using as Domain Registerer.
As last step, the settings can be checked at various web tools including VeriSign’s http://dnssec-debugger.verisignlabs.com.
DNSSEC Logo
Visit www.dnssec-logo.org after validation by Verisign’s tool and apply. This is obviously optional.
