Defend Your Area With DNSSEC on AWS Route53 and GoDaddy Registrar

DNSSEC, quick for Area Identify System Safety Extensions, is a set of protocols that intention to safe the area identify system (DNS) in opposition to numerous safety threats resembling spoofing, cache poisoning, and eavesdropping. DNSSEC is designed to guard the authenticity and integrity of the knowledge within the DNS, guaranteeing that customers obtain the proper info from authoritative sources.

How Does DNSSEC Work?

DNSSEC works by including cryptographic signatures to DNS knowledge. The signatures are created by a trusted third social gathering, generally known as a key signing key (KSK), and are saved within the DNS document together with the unique knowledge. When a person sends a DNS question, the DNSSEC-enabled server will use the signatures to confirm the authenticity of the information and be sure that it has not been altered in transit. If the information will not be legitimate, the server will reject the request and the person will obtain an error message.

Understanding DNSSEC is usually a bit difficult and complicated, however I’ll attempt to clarify it in a easy method with a number of steps with a dummy area.

How DNSSEC works

  1. The person laptop computer asks the recursive DNS server for area IPs. (It follows all DNS normal processes to get the IP from the authoritative DNS server. I can’t go into how DNS works right here. As a substitute, I’ll begin when the recursive server will get the ultimate IP from the DNS server.)
  2. The recursive DNS server connects to the DNS server and will get the IP addresses, signed document (RRSig), and corresponding public key used to signal that info.
  3. Numerous validations are carried out. Nonetheless, anybody can signal the DNS useful resource information knowledge with private and non-private key pairs.
  4. Due to this fact, there may be an added step to validate this public key with a sequence of belief that mimics the identical area tree used to resolve info.
  5. The recursive DNS server asks the .com TLD: “I received the general public key from the DNS server. Do you validate it?”
  6. The .com TLD comes again and says, “Sure, my DS information signifies that the important thing has been supplied to me by the supplier, and right here is the hash of that key. I’m signing that info with my key.”
  7. This info is then used to question the foundation server in the identical method and ask for the .com info. 
  8. Root servers present the DS document and signed that info additionally gives its public key. 
  9. The recursive server, being configured with the foundation public key as a trusted key, can now examine that key in opposition to its configuration and handed info for safe decision.

Be aware: The recursive server must be configured with the general public key of the foundation, and there’s a mechanism to mechanically adapt adjustments made on the web root server.

Why Is DNSSEC Vital?

The DNS is the Web’s tackle guide, mapping human-readable domains to IP addresses. With out DNSSEC, attackers can simply redirect customers to malicious web sites, steal delicate info, or unfold malware. By implementing DNSSEC, area house owners and customers could be assured that the knowledge they obtain from the DNS is correct and has not been tampered with.

How To Implement DNSSEC

Implementing DNSSEC requires the coordination of a number of totally different entities, together with area house owners, registrars, and DNS operators. Step one is to generate a key signing key (KSK) and a zone signing key (ZSK). The KSK is used to signal the ZSK, which is used to signal the DNS knowledge. The keys should be securely saved and repeatedly up to date to make sure the safety of the DNSSEC implementation.

As soon as the keys are in place, the area proprietor should publish the DNSSEC information within the DNS and configure their DNS servers to make use of DNSSEC. This course of includes creating and publishing DNS Useful resource Information (RRs), such because the DNSKEY, RRSIG, and DS information, which comprise the knowledge vital for the DNSSEC validation course of. 

I’m utilizing AWS Route53 because the DNS server for my area,, and GoDaddy because the registrar. 

  1. I’m assuming that you’re already utilizing AWS Route53 to your area. My area is right here.
  2. To allow DNSSEC on Route53, you can be requested to create a Key Signing Key (KSK) with a customer-managed buyer grasp key (CMK). 
  3. Enable DNSSEC on Route53After enabling DNSSEC, click on on View Data to Create DS Document.
  4. You’ll have two choices: Route53 registrar and one other area registrar. Since we’re utilizing GoDaddy, we might want to use the knowledge supplied below One other Area Registrar. This info will have to be entered into GoDaddy within the subsequent steps.
  5. Establish a chain of trustLog into your GoDaddy account. Please observe that GoDaddy additionally gives DNSSEC companies of their Premium DNS plan, however you don’t want to buy this plan since we’re utilizing DNSSEC on AWS Route53.
  6. Go to Area Portfolio -> Area Settings to your area and choose DNSSEC.
  7. Domain settingsCreate a brand new DS document with the next info.

Create a new DS record

  • Key Tag: Key Tag in AWS
  • Algorithm: Signing Algorithm Kind in AWS
  • Digest Kind: Digest Algorithm Kind in AWS
  • Digest: Digest in AWS

Take a look at Your Area

  • Run the next command (substitute your area identify) within the command line.
% dig dnskey +dnssec

It’s best to get the next output reply part.

Output from domain replace command

You’ll obtain two DNSKEYs (one for ZSK and one other for KSK) and a signed useful resource document, confirming that your DNS servers are efficiently utilizing DNSSEC.

  • Examine the chain of belief together with your TLD. First, get your TLD server identify by utilizing the next command.
  • Just remember to get the DS document to your area from TLD. 
%dig DS @m.gtld-servers.internet.

          It’s best to get the next output.

Output - Get the DS record for your domain from TLD

  • The final step is to examine your useful resource document units with signatures. I’ve created a dummy A document for my area. Right here is the command to examine the RRSIG.
%dig A +dnssec 

        It’s best to get the next output to your useful resource document.

Output - resource record

Alternatively, you need to use on-line free instruments to validate your DNSSEC. 

Please observe: DNS propagation can take wherever from a couple of minutes to 24 hours, relying on numerous components such because the geographical location of the person, the kind of DNS document being up to date, and the TTL (time to stay) worth set for the document. Throughout this time, the up to date DNS info will not be accessible to all customers and programs instantly.


DNSSEC is a vital device for guaranteeing the safety and reliability of the Web’s tackle guide. By including cryptographic signatures to DNS knowledge, DNSSEC helps to guard in opposition to numerous safety threats, resembling spoofing, cache poisoning, and eavesdropping. By implementing DNSSEC, area house owners and customers could be assured that the knowledge they obtain from the DNS is correct and has not been tampered with.