DNSSEC

Definition

DNSSEC (Domain Name System Security Extensions) is a suite of specifications designed to protect the integrity and authenticity of DNS data. It adds cryptographic signatures to existing DNS records, allowing DNS resolvers to verify that the information received is accurate and has not been tampered with. DNSSEC helps prevent certain types of attacks, such as cache poisoning and man-in-the-middle attacks, by ensuring that users are directed to the correct IP addresses.

Secure Settings Example

# Example of enabling DNSSEC on a BIND DNS server
options {
    dnssec-enable yes;
    dnssec-validation auto;
    dnssec-lookaside auto;
};

zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    auto-dnssec maintain;
    inline-signing yes;
};

Insecure Settings Example

# Example of a BIND DNS server configuration with DNSSEC disabled
options {
    dnssec-enable no;
    dnssec-validation no;
};

zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    auto-dnssec off;
};