DNSSEC is an extension to the DNS (domain name system), increasing the domain name service security. DNSSEC assures users that the information they obtain from DNS came from the correct source, was complete and its integrity was not compromised during the transfer. DNSSEC ensures that the DNS data can be trusted. Find more about DNSSEC on How DNSSEC works page.

Why you need DNSSEC?

Although most internet services have the security features and users are used to use them, there is one security threat that not many people are aware of and where only DNSSEC is the solution to avoid it.

All internet services (e-mail, webpages, instant messaging, VoIP calling, ...) use domain name system (DNS). The main principle of it is DNS allows to use domain names in internet services addresses, as names are human readable and memorizable, instead of numbers, which are understood and useful for the computers. In reality whenever the user uses domain name address of any service (webpage, email address or other) the computer must translate it to numeric address to be able to connect to the service user wants to use. Find more about principles of DNS on “About domains and DNS page”.

If someone is able to spoof numeric address, user will connect to a different place without any way to notice that and will not connect to expected service at all. It may work as shown on following scheme.

The user types webpage address into his browser a in case of normal conditions all works as marked by green path – DNS server of his internet service provider (ISP) will be used to get the numeric address from global DNS system a this address will be used to connect to the service he wanted. In case the numeric address is spoofed, everything works as marked by red path and user is connected with completely different service and he is not able even recognize it.

Why it might be a serious problem? Imagine the service to be used is e-shop, where you must fill in your credit card details or it is the stock monitoring service you use for your investment decisions or you just send the email with important or sensitive informations. In any case you don't want to get any information from untrustworthy (spoofed) source and you don't want anyone unauthorized to get the data you send. And all of that may happen as a result of DNS abuse, if you are not secured by DNSSEC.

How to protect yourself by DNSSEC?

DNSSEC protects you by more means. The most important is the perspective you are going to deploy DNSSEC from, whether you are standard internet user, a website or other service provider or internet service provider (ISP).

DNSSEC deployment wizard (in czech only at the moment) will help you select the right path, will explain all required steps and provide a manual how to proceed them.

DNSSEC for domains .cz and 0.2.4.e164.arpa (ENUM)

Both domains administered by CZ.NIC: .cz and ENUM (0.2.4.e164.arpa) allow to use DNSSEC for securing DNS records. Operational rules that govern the work of the CZ.NIC association in administering the DNSSEC keys are in the DNSSEC Operation Manual (PDF, 44 kB). If you want to secure your domain, you have to generate your DNSSEC keys, digitally sign your DNS records and publish your so called DS records through your domain's sponsoring registrar into domain registry. Find instructions how to do it DNSSEC deployment wizard (in czech only at the moment and written only for .cz domains, but the process for ENUM domains is the same).

.cz

Because DNS root zone is not signed with DNSSEC yet, you have to configure your recursive DNS server a special way to be able to validate DNSSEC queries. You can do this by one of these methods:

1. Using ITAR registry - Find the ITAR setup manual in ITAR HOWTO (in czech only at the moment).
2. Using DLV registry - DLV registry setup is in DNSSEC deplyoment wizard (in czech only at the moment).
3. Setup manually to the configuration file - Find step by step howto proceed with manual key entry in DNSSEC deplyoment wizard (in czech only at the moment).

DNSSEC key for .cz domain is here, for downloading it turn on SSL security.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

trusted-keys {

"cz." 257 3 5
  "AwEAAdo9fGLzCyxz1yTlsHCT7JpHrg0q/yOlvDNg39n/gAUzg6H/5X9p
   jW6mpecJuZirIcPcRw5E7E8uR8g2ztH4uztoc/7ss01s3rTnEgXfilbd
   psEdXEuxIfhq+w6zL6PvCcE3qRSzsrc2//x/SXjWp8yeT4YY3W3kvB4Z
   g5ld0a8bAHBYo4ZY9x7a3qnqOhqunXSG8EfRPD9koUMgWCjdnFNR89L1
   5Bkzh+q1J7phTHIY5akKf3YnIB/5BnKmGBC7DimK4uSBLiBA3DLxHnvL
   ffMT5XtKKHuQ/uZ4IxHWqR2cpHz/6e2WaQvOVILwd0gk9lTCildBGjC7
   eNxOMnitkuM=" ;

};

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklLqIYACgkQ9OZqfMIN8nMsAACfakQ/hGFxBV40Q3s4a319GllJ
vjYAoIkObXhITrjxEgLWm06o7prNzKkG
=6ixI
-----END PGP SIGNATURE-----

0.2.4.e164.arpa (ENUM)

CZ.NIC as 0.2.4.e164.arpa domain registry publishes DS records of this domain to an parent authority, that is e164.arpa domain, which is administered by RIPE organization. To setup DNSSEC validation for ENUM domains, you will need e164.arpa keys. You can find them on the RIPE website, on DISI project page as well as further informations about their administration. Setup process is similar to process for .cz domain key.