Episode 1

Why do we need DNSSEC?

Good question! Why do we need DNSSEC?

Good question! Why do we need DNSSEC?

DNS was created when the Internet was tiny and small.

DNS was created when the Internet was tiny and small.

Security was not a primary concern in its design.

Security was not a primary concern in its design.

DNS’s main job is to translate human-friendly names to the IP addresses needed by your network-connected devices.

DNS's main job is to translate human-friendly names to the IP addresses needed by your network-connected devices.

DNS is like a big phone book that your devices use to fetch websites or deliver emails.

DNS is like a big phone book that your devices use to fetch websites or deliver emails.

DNS resolvers are in charge of tracking down this information for you.

**DNS resolvers** are in charge of tracking down this information for you.

And that data is often provided by authoritative servers.

And that data is often provided by **authoritative servers**.

But DNS resolvers have no way to verify the authenticity of a response from an authoritative server.

But DNS resolvers have no way to verify the authenticity of a response from an authoritative server.

What if the response has been tampered with?

What if the response has been tampered with?

This is where DNSSEC comes in.

This is where **DNSSEC** comes in.

Resolvers? Authoritative name servers? What are all these things? Check out HowDNS.works for a refresher and come back here.

Resolvers? Authoritative name servers? What are all these things? Check out <a href='https://howdns.works' target='_blank'>**HowDNS.works**</a> for a refresher and come back here.

I’ll be waiting.

I'll be waiting.

DNSSEC stands for Domain Name System Security Extensions.

DNSSEC  stands for Domain Name System Security Extensions.

Like HTTPS, DNSSEC provides a layer of security by allowing authenticated answers on top of DNS.

Like HTTPS, DNSSEC provides a layer of security by allowing authenticated answers on top of DNS.

However, there is an important difference.

However, there is an important difference.

HTTPS encrypts traffic so no crabs can spy on your data.

HTTPS encrypts traffic so no crabs can spy on your data.

DNSSEC signs DNS data to detect that no crabs have been messing with your DNS responses.

**DNSSEC signs DNS data** to detect that no crabs have been messing with your DNS responses.

Bad crab. Bad.

Bad crab. Bad.

DNSSEC doesn’t include full encryption like HTTPS does.

DNSSEC doesn't include full encryption like HTTPS does.

The data is not kept confidential between the resolver and the authoritative server.

The data is not kept confidential between the resolver and the authoritative server.

Let’s dig a bit deeper into DNSSEC. Ready?

Let's dig a bit deeper into DNSSEC. Ready?
Continue reading →