Introduction to DNSSEC
The Domain Name System Security Extension, DNSSEC for short, is an end-to-end deployment security protocol to Domain Name System (DNS) by enabling the protocol responses to be validated through the Key Pairs and Digital Signatures technologies. With the use of DNSSEC, we can rest assured that .hk domain services are reliable and trustworthy, directing all traffic to the right websites.
- Why Do We Need DNSSEC?
DNS is one of the basic building blocks of the Internet. Served as a phone book to the Internet, DNS translates machine-readable numerical IP addresses (e.g. 18.104.22.168) to human-readable web addresses (e.g. www.hkirc.hk). However, the DNS has a fundamental security flaw, raising both economic concerns (in terms of revenue losses, fraud and brand damage) as well as security issues for users (identity theft) and companies (traffic redirection).
- Vulnerability of DNS
- When a user gives a hostname, the DNS tells the computer where to send and retrieve information, yet it accepts any IP address given. This security flaw allows attackers to hijack the process of “translation” and redirect users to hijackers’ own deceptive websites.
- Key Statistics
- The number of computer security incident reports increased by over 23% to 6,058 reported cases in 2016 when compared with the previous year. Up till 2017 Q2 alone, 2,430 incidents have been reported according to Hong Kong Computer Emergency Response Team (HKCERT). Meanwhile, there was a total of HK$2.3billion financial loss in 2016 due to computer crimes as revealed by Hong Kong Police Force.
The solution is to introduce an Internet security measure, an end-to-end deployment security protocol to secure DNS’s Internet infrastructure. With the use of DNSSEC, we can increase the security, reliability and trustworthiness of .hk domain names while ensuring Internet users are accessing the right websites.
- How Does DNSSEC Work?
DNSSEC was designed to conduct data origin authentication and ensure data integrity through the Key Pairs and Digital Signatures technologies. Key Pairs are just like keys of a safe deposit box, where you would need to use two keys simultaneously in order to open the box. With Key Pairing technology, each DNS query can be verified via the “Chain-of-trust” and conduct data origin authentication.
Digital Signatures are used to verify the unique identity of a DNS record. By verifying the Digital Signature with the DNS record, DNSSEC is able to ensure data integrity.
Without DNSSEC, cyber-attack threats on Internet addresses, such as DNS cache-poisoning and DNS spoofing, can be exposed.
- Benefits of DNSSEC
The full deployment of DNSSEC ensures users to connect to the actual website corresponding to a particular domain name:
- Ensuring that Internet users are directed to the websites or services they expect when entering domain names into their browsers
- Providing an extra layer of security to improve reliability, trustworthiness and quality of DNS
- Conducting data origin authentication and ensuring data integrity when sending /retrieving information online
- Safeguarding the online environment and strengthening trust on the Internet
- Work Together for a Safer Place
As a global financial hub, securing administration of domain name infrastructure in Hong Kong is crucial to the Internet community. The development of DNSSEC for .hk will bring more collaborations within the Internet community to embrace the technology for better Internet security.
It is important for domain registrars, resellers and relevant parties in Hong Kong to collaborate and plan ahead for DNSSEC deployment in their development schedule. By working together, we could further our commitment to foster a safe Internet environment on a secured DNS for.hk – a core part of Internet’s global addressing system in the Internet world.
- Article Contribution
By sharing valuable insights from IT security and industry leaders, we hope to help businesses and community to build a secure Internet culture, raising awareness toward DNSSEC amongst all parties and stakeholders:
- Safeguarding your Domain Name with DNSSEC by HKIRC
- Domain Name System by HKCERT
- The Business Case for DNSSEC by ICANN
Welcome to contact the Marketing Department via email@example.com for sharing your insights and articles.
- Operational Readiness
HKIRC provides a free DNSSEC testing platform for all interested parties to perform trial runs. This presents major opportunities to reduce deployment risks and provides a greater assurance of operational readiness.
Click on the following to find out more:
We have set 3 domains as examples for you to test DNSSEC’s effectiveness:
You are invited to apply for test run. Welcome to contact us via firstname.lastname@example.org or call 2319 2303 for further information.