Why DNSSEC Matters

October 20, 2017

Domain Name System Security Extensions (DNSSEC) is an acronym many people like yourself have probably never heard of.

DSNSEC is not new. Matter of fact it’s been around since 2007, but only in the last several years has it gained traction.

Recently we discovered two issues of which because of DNSSEC and Google Public DNS, our website was inaccessible.  By inaccessible we mean a user visiting a website (without DNSSEC implemented) gets a DNS error. It’s as if the site never existed. Scary stuff!

Before we explain how this issue was discovered, let’s take a closer look at DNSSEC and its real purpose.

How  DNSSEC Works

DNSSEC operates by adding security to the DNS protocol, thus enabling DNS responses to be validated.

Its purpose is to prevent an attacker from hijacking the process of a DNS request and sending the user to the hijacker’s own malicious website.

Image courtesy of CloudFlare

When DNSSEC is enabled a digital signature is deployed at each step in the DNS lookup process, from the root zone to the domain name.  This process validates the address of the site before a user can visit. 

When DNSSEC Becomes a Problem

Google Public DNS by default uses DNSSEC validation. As of May 2013 all DNS queries run by Google Public DNS are validated. No DNSSEC and the query returns a DNS error.

You’re probably wondering who the heck uses Google Public DNS? Some more advanced Internet users and developers believe Google Public DNS is faster than for example the DNS provided by your ISP.

According to Google, Google Public DNS is the largest public DNS in the world.

In our case, a friend who owns a computer repair business (and uses Google Public DNS) discovered the problem. When he entered our domain name in a browser, he received a DNS error. 

How to Implement DNSSEC

It’s easy to set up a DNSSEC record at your registrar, but that’s only half the solution.

Namecheap advanced DNS settings

Next, you have to get your web host to allow you to set a DNSSEC record. In our case, we use SiteGround to host this site.

According to several conversations we’ve had with SiteGround, they have no immediate plans to implement DNSSEC. This is a bit worrisome, to say the least.

“At this point, we do not support DNSSec. Thus we are not able to install the DNSSEC for a particular domain. We will ensure a global update is posted once this technology is supported on our configuration, but I’m afraid at this time we are cannot provide this service.”

We’re a fan of SiteGround, especially the excellent technical support, however failure to offer DNSSEC is not good.

If you find yourself in a similar situation, you have two choices – find another web host or run your site through Cloudflare which offers what they refer to as Universal DNSSEC. 

Google Wifi Presents Another Issue

Google Wifi mesh network presents another DNSSEC problem. Google Wifi uses Google Public DNS by default, thus blocking any site that does not have DNSSEC records in place.

We found this out the hard way. After installing Google Wifi we noticed our email went down. A quick check also showed our website refused to resolve. 

After a bit of checking, we determined the issue was with Google Wifi which acts as a router. When we bypassed Google Wifi by connecting directly to the modem, our site and email worked. 

Interestingly enough, from within the Google Wifi app, there is a setting that allows a user to choose an ISP’s DNS instead of the default Google Public DNS.

To access this setting from within the Google app, go to Settings > Network & General > Advanced Networking. 

DNSSEC is a good validation solution. However until it is universally supported, it will continue to present problems if you host with a provider that does not offer support for the specification.

Google has a way of cajoling the Internet as a whole to adopt practices that otherwise might take years to become standard. It would not surprise us if DNSSEC follows the same path as Google’s push to make HTTPS standard for every website.

Potential Problems with DNSSEC

Updated February 6, 2018.

If for some reason you need to remove a DNSSEC record, this can cause major issues with your site.

In our case, we decided to replace an expiring SSL with a free version offered by Let’s Encrypt. Easy enough, or so we thought.

Let’s Encrypt (via cPanel) would not allow us to install an SSL with our current DNSSEC record set at the registry level. We originally set the record in the hopes we could create a matching record at SiteGround. As mentioned earlier, SiteGround does not support DNSSEC, thus some of the blame lies on us for not removing this record.

Namecheap does not allow you to delete an existing DNSSEC record. Rather you have to toggle a switch to the off position. What toggling the switch to the off position actually does, is unknown. We were not able to get a definitive answer from Namecheap.

We do know however once the DNSSEC record was set to the off position, we lost our A record. A huge problem!

Apparently disabling the DNSSEC created an unsigned (DS) Delegation of Signing record. A DS record provides information about a signed zone file.

In simpler terms, a DS record is used to secure delegations and references a DSNKEY record in the sub-delegated zone. Delete the unsigned DS record and the problem issue is solved.

The problem we ran into is the support persons we had contact with at Namecheap were inexperienced. We had to press the issue and provide proof that indeed that the recently deactivated DNSSEC record was to blame.

Perhaps things work differently at other registrars. However, if you run into issues after removing a DNSSEC record, it may be worth your while to do some investigation on your own before lashing out at support persons. We used the DNSSEC trace tool available at https://dnslookup.org to solve this problem.