Solved

DNSSEC and Secondary DNS

Posted on 2013-10-30
1
691 Views
Last Modified: 2013-11-04
Working with a domain registered with GoDaddy and also DNS at GoDaddy. The customer is having a website built by another provider which will also handle hosting.
 
I need to make all traffic from that domain registered with go daddy go to the hosting of the other provider.
 
DNS will also stay at go daddy as the cutomer has Office 365 exchange setup in the go daddy DNS.
 
They have the premium DNS package with vanity nameservers and they have DNSSEC enabled so can someone help me understand why DNSSEC helps with security?
 
Also they have the option for a secondary DNS server but it says you can't use secondary DNS when DNSSEC is enabled? Whay would that be? Is it a system thing or a go daddy thing? Are there other providers where you can have both?
 
Do they really need DNSSEC? This will be a website for a small local buisness.
0
Comment
Question by:ATL74
1 Comment
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39613441
There are many DNS vulnerabilities (esp in Bind and adding with more open recursive DNS resolver exposed in web), an attacker can easily hijack DNS session. The purpose of the attack is to take control of the session to, for example, send the user to the hijacker's own deceptive web site for account and password collection. Which is why DNSSEC came on to secure the DNS integrity of the session..e.g. root zone sign the domain name and overall the attestion serves to proof validity of the address of the site the user is lead too. Such digital signature (they called it "Delegation of Signing") not easily breached and upon tamper the chain of trust is broken (e.g. the domain name cannot resolve to your website).  

Full deployment of DNSSEC will ensure the end user is connecting to the actual web site or other service corresponding to a particular domain name. Although this will not solve all the security problems of the Internet, it does protect a critical piece of it - the directory lookup - complementing other technologies such as SSL (https:) that protect the "conversation", and provide a platform for yet to be developed security improvements.

In short, DNSSEC provides a validation path for records. The challenge is the chain of domain extension must be DNSSEC aware and support it throughout the chain, hence adoption is not widely implemented. However, the CA folks has supported it likewise for the root domain ..

GoDaddy has DNSSEC capability for Premium DNS Account
http://support.godaddy.com/help/article/6420/enabling-dnssec-in-your-premium-dns-account
http://www.internetsociety.org/deploy360/resources/how-to-sign-your-domain-with-dnssec-using-godaddy-com/

It is always good to be sure and be less exposed. Business call...why ...

DNSSEC protects DNS clients (such as web browsers and mail clients) from forged DNS data. If an attacker attempts to alter any part of the DNS resolution process, then a DNSSEC aware client can detect the altered response. This allows the DNSSEC aware client to detect with certainty when this has happened. Not all browsers are DNSSEC aware. Chrome has supported this since version 14. On other browsers, an extension must be added to support DNSSEC. Some browser don’t yet support DNSSEC.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

These instructions are based on installing Owncloud on your new raspberry pi connected with a usb HDD. What do you need Part A? A Raspberry Pi, model B. A boot SD card for the Raspberry Pi. A usb HDD An Ethernet cable to connect to the lo…
Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question