Solved

DNSSEC and Secondary DNS

Posted on 2013-10-30
1
700 Views
Last Modified: 2013-11-04
Working with a domain registered with GoDaddy and also DNS at GoDaddy. The customer is having a website built by another provider which will also handle hosting.
 
I need to make all traffic from that domain registered with go daddy go to the hosting of the other provider.
 
DNS will also stay at go daddy as the cutomer has Office 365 exchange setup in the go daddy DNS.
 
They have the premium DNS package with vanity nameservers and they have DNSSEC enabled so can someone help me understand why DNSSEC helps with security?
 
Also they have the option for a secondary DNS server but it says you can't use secondary DNS when DNSSEC is enabled? Whay would that be? Is it a system thing or a go daddy thing? Are there other providers where you can have both?
 
Do they really need DNSSEC? This will be a website for a small local buisness.
0
Comment
Question by:ATL74
1 Comment
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39613441
There are many DNS vulnerabilities (esp in Bind and adding with more open recursive DNS resolver exposed in web), an attacker can easily hijack DNS session. The purpose of the attack is to take control of the session to, for example, send the user to the hijacker's own deceptive web site for account and password collection. Which is why DNSSEC came on to secure the DNS integrity of the session..e.g. root zone sign the domain name and overall the attestion serves to proof validity of the address of the site the user is lead too. Such digital signature (they called it "Delegation of Signing") not easily breached and upon tamper the chain of trust is broken (e.g. the domain name cannot resolve to your website).  

Full deployment of DNSSEC will ensure the end user is connecting to the actual web site or other service corresponding to a particular domain name. Although this will not solve all the security problems of the Internet, it does protect a critical piece of it - the directory lookup - complementing other technologies such as SSL (https:) that protect the "conversation", and provide a platform for yet to be developed security improvements.

In short, DNSSEC provides a validation path for records. The challenge is the chain of domain extension must be DNSSEC aware and support it throughout the chain, hence adoption is not widely implemented. However, the CA folks has supported it likewise for the root domain ..

GoDaddy has DNSSEC capability for Premium DNS Account
http://support.godaddy.com/help/article/6420/enabling-dnssec-in-your-premium-dns-account
http://www.internetsociety.org/deploy360/resources/how-to-sign-your-domain-with-dnssec-using-godaddy-com/

It is always good to be sure and be less exposed. Business call...why ...

DNSSEC protects DNS clients (such as web browsers and mail clients) from forged DNS data. If an attacker attempts to alter any part of the DNS resolution process, then a DNSSEC aware client can detect the altered response. This allows the DNSSEC aware client to detect with certainty when this has happened. Not all browsers are DNSSEC aware. Chrome has supported this since version 14. On other browsers, an extension must be added to support DNSSEC. Some browser don’t yet support DNSSEC.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

To properly understand GitHub, let’s divide it into two words ‘Git’ and ‘Hub’. Git is basically a ‘Distribution Version Control’ (DVC) and ‘Source Code Management’ (SCM) system widely used by software programmers while Hub means the efficient centre…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question