Episode 1

Why do we need DNSSEC?

Good question! Why do we need DNSSEC?

DNS was created the Internet was tiny small.

Security was not a primary concern in its design.

Simply put, DNS main job is to translate human-friendly names to IP addresses needed by your laptop, phones, and other network devices.


DNS is like a big phone book that your devices use to fetch you a website, or deliver your emails.

DNS resolvers are the ones in charge of tracking down this information for you.


And that data is often provided by authoritative servers.


But DNS resolvers have no way to verify the authenticity of a response from an authoritative server.

What if the response has been tampered with?

This is where DNSSEC comes in.

Resolvers? Authoritative name servers? What are all these things? Check out HowDNS.works for a refresher and come back here.

I'll be waiting.

DNSSEC is short for Domain Name System Security Extensions.

Like HTTPS, DNSSEC provides a layer of security by allowing authenticated answers on top of DNS.

However, there is a important difference.

HTTPS encrypts traffic so no crab can spy on your data.


DNSSEC signs DNS data to detect that no crabs have been messing with your DNS responses.


Bad crab. Bad.

DNSSEC doesn't include full encryption like HTTPS does.

The data is not kept confidential and secret between the resolver and the authoritative server.

Let's dig a bit deeper on DNSSEC. Ready?