What is DNSSEC? - What-is-DNSSEC/What-is-DNSSEC

What is DNSSEC?
NetCloud Feature
Security
ft:locale
en-US
ft:sourceName
Salesforce
allViewCount
1347
Document Type
Article

What is DNSSEC in the DNS Servers configuration? 


  • Domain Name System Security Extensions (DNSSEC) strengthens authentication in DNS using digital signatures based on public key cryptography.
  • Enabling DNSSEC validates DNS replies and caches DNSSEC data. The name servers upstream of this device must be DNSSEC-capable, ie capable of returning DNSSEC records with data.
If they are not then this device will not be able to determine the trusted status of answers; consequently, the DNS service will be entirely broken.

Check Unsigned Replies Checkbox:
  • By default, dnsmasq checks that unsigned DNS replies are valid which could include extra queries. If the Check Unsigned Replies is unchecked in the configuration, then DNS replies are presumed to be legitimate and allowed. An attacker can still forge unsigned replies for signed DNS zones, but it is faster. Unchecking this box will make everything appear to work even when upstream name servers do not have DNSSEC support, in which case no DNSSEC validation is occurring.