Solved

DNSSEC and Secondary DNS

Posted on 2013-10-30
1
653 Views
Last Modified: 2013-11-04
Working with a domain registered with GoDaddy and also DNS at GoDaddy. The customer is having a website built by another provider which will also handle hosting.
 
I need to make all traffic from that domain registered with go daddy go to the hosting of the other provider.
 
DNS will also stay at go daddy as the cutomer has Office 365 exchange setup in the go daddy DNS.
 
They have the premium DNS package with vanity nameservers and they have DNSSEC enabled so can someone help me understand why DNSSEC helps with security?
 
Also they have the option for a secondary DNS server but it says you can't use secondary DNS when DNSSEC is enabled? Whay would that be? Is it a system thing or a go daddy thing? Are there other providers where you can have both?
 
Do they really need DNSSEC? This will be a website for a small local buisness.
0
Comment
Question by:ATL74
1 Comment
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
There are many DNS vulnerabilities (esp in Bind and adding with more open recursive DNS resolver exposed in web), an attacker can easily hijack DNS session. The purpose of the attack is to take control of the session to, for example, send the user to the hijacker's own deceptive web site for account and password collection. Which is why DNSSEC came on to secure the DNS integrity of the session..e.g. root zone sign the domain name and overall the attestion serves to proof validity of the address of the site the user is lead too. Such digital signature (they called it "Delegation of Signing") not easily breached and upon tamper the chain of trust is broken (e.g. the domain name cannot resolve to your website).  

Full deployment of DNSSEC will ensure the end user is connecting to the actual web site or other service corresponding to a particular domain name. Although this will not solve all the security problems of the Internet, it does protect a critical piece of it - the directory lookup - complementing other technologies such as SSL (https:) that protect the "conversation", and provide a platform for yet to be developed security improvements.

In short, DNSSEC provides a validation path for records. The challenge is the chain of domain extension must be DNSSEC aware and support it throughout the chain, hence adoption is not widely implemented. However, the CA folks has supported it likewise for the root domain ..

GoDaddy has DNSSEC capability for Premium DNS Account
http://support.godaddy.com/help/article/6420/enabling-dnssec-in-your-premium-dns-account
http://www.internetsociety.org/deploy360/resources/how-to-sign-your-domain-with-dnssec-using-godaddy-com/

It is always good to be sure and be less exposed. Business call...why ...

DNSSEC protects DNS clients (such as web browsers and mail clients) from forged DNS data. If an attacker attempts to alter any part of the DNS resolution process, then a DNSSEC aware client can detect the altered response. This allows the DNSSEC aware client to detect with certainty when this has happened. Not all browsers are DNSSEC aware. Chrome has supported this since version 14. On other browsers, an extension must be added to support DNSSEC. Some browser don’t yet support DNSSEC.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

The task of choosing a web design company to build a website for your business should never be taken in a light manner. Provided the fact that your website will act as a representative to your business and will be responsible for imposing an online …
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now