About ten years ago, dnssec was invented to deal with a problem
plaguing the Internet. There is no trust in the DNS system.
Background
Many people might have heard the term DNS, but never thought
about what it is. DNS, or the Domain Name System, is the
process by which a domain name like midnightbsd.org is translated
into an IP address 70.91.226.201. Without this system, one
would need to type in IP addresses to access websites, send email,
or chat online.
The system was invented at a simpler time when people trusted
each other on the Internet. This was before worms, massive
spam, or websites.
Today, many people try to impersonate others on the Internet or
worse yet, their websites. You could create a DNS poisoning
attack so that a user accessing a DNS server to lookup google.com
is redirected to a fake site. This site could log information
and pass requests to the real google.com through a proxy. The
user may never know the difference.
Systems like DNSSEC validate DNS queries by a trust
relationship.
Using DNSSEC
Individuals don't need to do much to use DNSSEC aside from
purchasing updated software. Windows 7 had DNSSEC on it's
list of new features (not confirmed it was added in final builds).
The client (your computer) must be able to understand DNSSEC
queries for it to be of any use. Otherwise, it is simply
ignored.
System administrators must enable DNSSEC on their DNS servers
(resolvers) as well as on zones to get the full benefit. You
can think of a zone as a domain name. Things can be further
divided into sub zones such as .com vs midnightbsd.org.
Enabling DNSSEC on BIND 9.4+ resolvers
In options:
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside "."
trust-anchor "DLV.ISC.ORG";
...
trusted-keys {
dlv.isc.org. 257 3 5
"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2F
ZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9
IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
TDN0YUuWrBNh";
};
Further Reading