My take on DNSSEC – Part 1: Why do I need that?

DNS [1] is probably one of the most important protocols on the internet. Everybody uses it countless times each day, usually without even noticing it. Every time somebody visits any website, every time somebody sends a mail, every time somebody wants to do literallly ANYTHING on the internet, a DNS server is involved.

What it does is fairly straightforward: It is a dictionary of domain names (like or and the associated IP address (like or 2001:DB8::12). If a user wants to access a website at a certain domain, the browser first queries a DNS server for the IP address  of the domain and then connects to the server with that address. Essentially it is a phonebook [2] for the internet.

Sadly the protocol is about as ancient as it can be in the internet, being developed in 1983. During these early days, nobody designed protocols to be protected against malicious attacks. For this reason DNS is horribly insecure and a largs-scale attack on the internet could probably render the entire internet unusable (for some time) [3]. But it can also be compromised in more subtle ways, i.e. directing users to wrong servers for phishing attacks.

To improve the situation, the DNSSEC protocol has been developed. It could be argued that DNSSEC is far from perfect [4] but at least it is a step in the right direction. For this reason I want to talk a bit about DNSSEC, what it does, how I use it on my server and how it can be used in clients.

But that will start in part 2