Solved

DNSSEC and Secondary DNS

Posted on 2013-10-30
1
723 Views
Last Modified: 2013-11-04
Working with a domain registered with GoDaddy and also DNS at GoDaddy. The customer is having a website built by another provider which will also handle hosting.
 
I need to make all traffic from that domain registered with go daddy go to the hosting of the other provider.
 
DNS will also stay at go daddy as the cutomer has Office 365 exchange setup in the go daddy DNS.
 
They have the premium DNS package with vanity nameservers and they have DNSSEC enabled so can someone help me understand why DNSSEC helps with security?
 
Also they have the option for a secondary DNS server but it says you can't use secondary DNS when DNSSEC is enabled? Whay would that be? Is it a system thing or a go daddy thing? Are there other providers where you can have both?
 
Do they really need DNSSEC? This will be a website for a small local buisness.
0
Comment
Question by:ATL74
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39613441
There are many DNS vulnerabilities (esp in Bind and adding with more open recursive DNS resolver exposed in web), an attacker can easily hijack DNS session. The purpose of the attack is to take control of the session to, for example, send the user to the hijacker's own deceptive web site for account and password collection. Which is why DNSSEC came on to secure the DNS integrity of the session..e.g. root zone sign the domain name and overall the attestion serves to proof validity of the address of the site the user is lead too. Such digital signature (they called it "Delegation of Signing") not easily breached and upon tamper the chain of trust is broken (e.g. the domain name cannot resolve to your website).  

Full deployment of DNSSEC will ensure the end user is connecting to the actual web site or other service corresponding to a particular domain name. Although this will not solve all the security problems of the Internet, it does protect a critical piece of it - the directory lookup - complementing other technologies such as SSL (https:) that protect the "conversation", and provide a platform for yet to be developed security improvements.

In short, DNSSEC provides a validation path for records. The challenge is the chain of domain extension must be DNSSEC aware and support it throughout the chain, hence adoption is not widely implemented. However, the CA folks has supported it likewise for the root domain ..

GoDaddy has DNSSEC capability for Premium DNS Account
http://support.godaddy.com/help/article/6420/enabling-dnssec-in-your-premium-dns-account
http://www.internetsociety.org/deploy360/resources/how-to-sign-your-domain-with-dnssec-using-godaddy-com/

It is always good to be sure and be less exposed. Business call...why ...

DNSSEC protects DNS clients (such as web browsers and mail clients) from forged DNS data. If an attacker attempts to alter any part of the DNS resolution process, then a DNSSEC aware client can detect the altered response. This allows the DNSSEC aware client to detect with certainty when this has happened. Not all browsers are DNSSEC aware. Chrome has supported this since version 14. On other browsers, an extension must be added to support DNSSEC. Some browser don’t yet support DNSSEC.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Online collaboration is quickly becoming embedded in the workplace, and its benefits are tangible. See what the current landscape looks like and what the future holds for collaboration tools and the future of work.
In order to have all security and back ups taken care of, WordPress users can sign up for services with WP Engine.
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question