Why DNSSEC Matters
October 20, 2017
Domain Name System Security Extensions (DNSSEC) is an acronym many people like yourself have probably never heard of.
DSNSEC is not new. Matter of fact it’s been around since 2007, but only in the last several years has it gained traction.
Recently we discovered two issues of which because of DNSSEC and Google Public DNS, our website was inaccessible. By inaccessible we mean a user visiting a website (without DNSSEC implemented) gets a DNS error. It’s as if the site never existed. Scary stuff!
Before we explain how this issue was discovered, let’s take closer look at DNSSEC and its real purpose.
How DNSSEC Works
DNSSEC operates by adding security to the DNS protocol, thus enabling DNS responses to be validated.
It’s purpose is to prevent an attacker from hijacking the process of a DNS request and sending the user to the hijacker’s own malicious website.
Image courtesy of CloudFlare
When DNSSEC is enabled a digital signature is deployed at each step in the DNS lookup process, from root zone to the domain name. This process validates the address of the site before a user can visit.
When DNSSEC Becomes a Problem
Google Public DNS by default uses DNSSEC validation. As of May, 2013 all DNS queries run by Google Public DNS are validated. No DNSSEC and the query returns a DNS error.
You’re probably wondering who the heck uses Google Public DNS? Some more advanced Internet users and developers believe Google Public DNS is faster than for example the DNS provided by your ISP.
According to Google, Google Public DNS is the largest public DNS in the world.
In our case, a friend who owns a computer repair business (and uses Google Public DNS) discovered the problem. When he entered our domain name in a browser, he received a DNS error.
How to Implement DNSSEC
It’s easy to set up a DNSSEC record at your registrar, but that’s only half the solution.
Namecheap advanced DNS settings
Next you have to get your web host to allow you to set a DNSSEC record. In our case, we use SiteGround to host this site.
According to several conversations we’ve had with SiteGround, they have no immediate plans to implement DNSSEC. This is a bit worrisome to say the least.
“At this point, we do not support DNSSec. Thus we are not able to install the DNSSEC for a particular domain. We will ensure a global update is posted once this technology is supported on our configuration, but I’m afraid at this time we are cannot provide this service.”
We’re a fan of SiteGround, especially the excellent technical support, however failure to offer DNSSEC is not good.
If you find yourself in a similar situation, you have two choices – find another web host or run your site through CloudFlare. CloudFlare offers what they refer to as Universal DNSSEC.
Google Wifi Presents Another Issue
Google Wifi mesh network presents another DNSSEC problem. Google Wifi uses Google Public DNS by default, thus blocking any site that does not have DNSSEC records in place.
After a bit of checking, we determined the issue was with Google Wifi which acts as a router. When we bypassed Google Wifi by connecting directly to the modem, our site and email worked.
Interesting enough, from within the Google Wifi app, there is a setting that allows a user to choose an ISP’s DNS instead of the default Google Public DNS.
To access this setting from within the Google app, go to Settings > Network & General > Advanced Networking.
DNSSEC is a good validation solution. However until it is universally supported, it will continue to present problems if you host with a provider that does not offer support for the specification.
Google has a way of cajoling the Internet as a whole to adopt practices that otherwise might take years to become standard. It would not surprise us if DNSSEC follows the same path as Google’s push to make HTTPS standard for every website.
Potential Problems with DNSSEC
Updated February 6, 2018.
If for some reason you need to remove a DNSSEC record, this can cause major issues with your site.
In our case, we decided to replace an expiring SSL with a free version offered by Let’s Encrypt. Easy enough, or so we thought.
Let’s Encrypt (via cPanel) would not allow us to install an SSL with our current DNSSEC record set at the registry level. We originally set the record in the hopes we could create a matching record at SiteGround. As mentioned earlier, SiteGround does not support DNSSEC, thus some of the blame lies on us for not removing this record months ago.
Namecheap does not allow you to delete an existing DNSSEC record. Rather you have to toggle a switch to the off position. What toggling the switch to the off position actually does, is unknown. We were not able to get a definitive answer from Namecheap.
We do know however once the DNSSEC record was set to the off position, we lost our A record. A huge problem!
Apparently disabling the DNSSEC created an unsigned (DS) Delegation of Signing record. A DS record provides information about a signed zone file.
In simpler terms, a DS record is used to secure delegations and references a DSNKEY record in the sub-delegated zone. Delete the unsigned DS record and the problem issue is solved.
The problem we ran into is the support persons we had contact with at Namecheap were inexperienced. We had to press the issue and provide proof that indeed that the recently deactivated DNSSEC record was to blame.
Perhaps things work differently at other registrars. However if you run into issues after removing a DNSSEC record, it may be worth your while to do some investigation on your own before lashing out at support persons. We used the DNSSEC trace tool available at https://dnslookup.org to solve this problem.