SGNIC
Singapore Network Information
Centre (SGNIC) Pte Ltd
Go

DNSSEC

What is DNSSEC and why is it important?
DNSSEC stands for “Domain Name System Security Extensions”. It is a security feature of the Domain Name System (DNS) which validates DNS information (e.g. IP address) for a domain name. Through the use of cryptographic digital signatures, DNSSEC technology ensures that an end-user is accessing the actual website or other services corresponding to the domain name.  In other words, DNSSEC prevents an attacker from redirecting end-users (at the DNS level) to a fake website or service.

For more information on this, refer here: https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en

What does DNSSEC protect against exactly?

DNSSEC is intended to protect against ‘man-in-the-middle’ DNS spoofing attacks and ‘cache poisoning’ by ensuring DNS information is validated cryptographically before end-users traffic are directed to a website.

What is DNS ‘man-in-the-middle’ attack and ‘cache poisoning’?
When users access a website using its domain name e.g. http://www.example.sg, the system’s DNS resolver will first query for the IP address of the website. When the DNS resolver (e.g. ISP’s resolver) is making its query, it is possible for an attacker to trick the resolver to accept a fake IP address. This is known as a ‘man-in-the-middle’ attack.

Most DNS resolvers also cache the returned IP address to speed up responses for future queries for the same domain name, either from the same user or other users. Therefore, if an attacker has managed to trick the DNS resolver to accept a fake IP address, the fake IP address is now cached by the DNS resolver. This is known as ‘cache poisoning’. When there are subsequent queries of the same domain name by other users (e.g. other users on the same ISP), they will now be re-directed to the fake IP address as they are receiving the cached, and incorrect, IP address as opposed to the legitimate website’s IP.

How does DNSSEC work?
DNSSEC uses cryptography signatures to create a “chain of trust”. DNSSEC uses this “chain of trust” to validate that the information users receive originates from the correct DNS servers. If the information cannot be validated, it discards the information. Thus if users visit a DNSSEC-protected website and the DNS response is modified by a hacker (through a ‘man-in-the-middle’ attack), the DNSSEC-aware DNS resolver or application can detect the fake information and discard it.
Should I enable DNSSEC for my .SG domain name?
DNSSEC is beneficial to all registrants and end-users. Certain groups of registrants, however, may benefit more than others. For example, e-commerce sites or those which accept highly sensitive or personal information may wish to give DNSSEC-aware end-users the added assurance that they will reach the actual website.

Be aware that DNSSEC implementation can be rather complex. For example, technical complexities could arise should owners wish to change DNS hosting providers.

Owners should also evaluate and confirm if their DNS hosting provider is technically capable to handle the complexities of cryptographic key generation, signing and key rollover processes.

Should any of these steps be implemented improperly, it could disrupt user’s access to the website. 

Such considerations may have additional effects for owners, such as potentially higher fees for a DNSSEC-enabled domain name.

What is protected by DNSSEC and what is not?
DNSSEC is not a complete solution for all security threats. DNSSEC mitigates only the specific issue of fake DNS responses. DNSSEC is meant to complement other protections such as SSL certificates and two-factor authentications.
How do I know if my .SG domain name is DNSSEC-enabled?
A simple way to check is to check the WHOIS information for the .SG domain name. Users can go to the SGNIC website (www.sgnic.sg) and search for the WHOIS information on the domain name. At the bottom of the WHOIS result page, there is a section on “DNSSEC”:
  • If “Signed” is displayed, it means the domain name has been DNSSEC enabled.
  • If “Unsigned” is displayed, it means the domain name has not enabled DNSSEC yet.
dnssec-whois
What is required for DNSSEC to “work” for a .SG domain name?
In order for DNSSEC to protect a .SG domain name, .SG domain name owners must enable DNSSEC by instructing the DNS hosting provider and domain name registrar to activate it.

Once a .SG domain is DNSSEC-enabled, end-users who have DNSSEC-enabled DNS resolvers (usually, enabling DNSSEC on DNS resolvers will occur on the ISP’s backend) will be able to validate the data, thus seamlessly protecting end-users.

How can I enable DNSSEC for my .SG domain name?

To enable DNSSEC of your .SG domain name, you need to perform the following steps:

a) Confirm that your DNS hosting provider and sponsoring registrar of your .SG domain name both support DNSSEC;
Contact your DNS hosting provider and sponsoring registrar to find out if they support DNSSEC. DNSSEC cannot be enabled if either your DNS hosting provider or sponsoring registrar does not support DNSSEC.

b) Sign the DNS zone file of your .SG domain name; and
Request your DNS hosting provider to perform the DNSSEC signing for your .SG domain name. Your DNS hosting provider will then provide you with the Delegation Signer (DS) record for your domain name.

c) Submit Delegation Signer (DS) records to SGNIC via your sponsoring registrar.
Submit the Delegation Signer (DS) record to your sponsoring registrar. Your sponsoring registrar will submit the record to SGNIC. SGNIC will then publish your DS record to complete the DNSSEC enabling process. 

If my domain name is not DNSSEC-signed, can it be resolved by DNSSEC-aware resolvers?
Yes, it can still be resolved. End users would not be affected.
If my domain name is DNSSEC-signed, can it be resolved by non DNSSEC-aware resolvers?
Yes, it can still be resolved. End users would not be affected.
Can SGNIC help sign my domain name?
No. Please contact your DNS hosting provider to sign your domain name.
Can I transfer my domain name to another registrar after DNSSEC is enabled?
Yes. However owners must confirm if the new registrar also supports DNSSEC. If the new registrar does not support DNSSEC, you will need to disable DNSSEC on your domain name by requesting the existing registrar to remove the DS record from your domain name.
Can I change my DNS hosting provider after DNSSEC is enabled?
Yes. However, the change process might be complex as it involves both the old and new DNS hosting providers. The exact process depends on how the old and new DNS providers implement DNSSEC on their systems (e.g. whether the old provider will release the existing crypto key and whether the new provider accepts old keys or requires new keys). For details please check with both providers.
How does an end-user get DNSSEC protection?
To be DNSSEC protected, an end-user must use a DNS resolver that performs DNSSEC validation (i.e. it is DNSSEC-aware). End users often depend on their ISPs for DNS resolution in which case the ISPs’ DNS resolvers should perform the DNSSEC validation. It is also possible for technically inclined end-users to enable DNSSEC validation locally in their devices (e.g. laptop).
How can an end-user tell if he is using a DNSSEC-aware resolver?

Click on this link http://www.dnssec-bogus.sg to access a website where DNSSEC has been deliberately misconfigured. If the user can see the contents of the page (sample screenshot below), it means the user’s DNS resolver is not DNSSEC-aware.

dnssec-bogus_unprotected

If the user’s DNS resolver is DNSSEC-aware, the user will not be able to reach the web site because the IP address will not be returned. Instead the user will see his browser’s error message page (e.g. Sample screenshots below). 

Chrome:
dnssec-bogus_chrome

Internet Explorer v11:
dnssec-bogus_ie

Edge:
dnssec-bogus_edge

Safari:
dnssec-bogus_safari

What DNSSEC-aware resolvers can an end-user use?
Some of the following public DNS resolver(s) are DNSSEC-aware.
  • Google Public DNS (8.8.8.8 and 8.8.4.4)
  • Verisign Public DNS (64.6.64.6 and 64.6.65.6)

An end user can also check with his ISP on whether they are running DNSSEC-aware DNS resolvers.