F.A.Q.
What is DNS(SEC)?
DNS is the link between man and machine. When you want to visit a website,
you type the name of the site into your browser. However, to reach that site,
your browser needs something called an IP address. In order to get the site’s
IP address, your browser uses the DNS (Protocol). The DNS is like a phone book
for the internet. If the DNS is tampered with by fraudsters or others, your
browser could be sent the wrong IP address. Then you will be connected to the
wrong web server, and find yourself looking at a different site – with potentially far-reaching
consequences. DNSSEC is an extension to the DNS Protocol, intended to detect
and prevent such forms of abuse. With DNSSEC, your DNS is more secure.
The testresult is a green tick; what does that mean?
The green tick is good. It means that the DNS server your computer uses actively
supports the DNSSEC Protocol. So you are better protected against abuse of the DNS Protocol.
I see a red cross; what's that all about?
A red cross means that you aren’t benefiting from the added security offered by DNSSEC.
Compared with someone whose set-up is DNSSEC-enabled, you are more vulnerable to abuse of the DNS.
What can I do if I want to benefit the added security that DNSSEC offers?
That depends on the way you use the DNS. Many internet users rely on the DNS service
provided by their Internet Service Providers (ISPs). If that’s the case with you, you
need your ISP to activate DNSSEC. You may wish to contact your ISP about it.
However, it could be that the reason you aren’t benefiting from DNSSEC is that there
is a modem or router between your computer and the DNS server(s) you use, which does
not understand DNSSEC. In that case, you may have to upgrade the firmware on your
modem or router. More advanced users may decide to configure DNS servers that support
DNSSEC, or even run their own DNS server that supports DNSSEC (a so called validating resolver).
If you did the test in a business environment, you may wish to contact your IT department.
However, be ready for the possibility that your IT colleagues aren’t immediately
able to help you – not very many people are familiar with DNSSEC yet.
How vulnerable am I without DNSSEC?
That depends. If you are using very old DNS software, you may be at risk.
If you are using up-to-date DNS software, the risks are much smaller.
However, the best protection against DNS abuse is provided by DNSSEC.
I don’t understand about servers and clients. How does it all work?
It’s up to the person who controls a domain whether it is secured using DNSSEC.
So, for example, ‘sidn.nl’ is protected, because SIDN has decided to protect
it with a digital signature. However, DNSSEC only provides added security if the
equipment at the other end – your end – is able to verify digital signatures.
Unfortunately, it is hard for most internet users to know whether that’s the
case or not, because the working of the DNS is hidden from sight.
With the test available here, you can find out in a matter of seconds
whether you are able to benefit from DNSSEC. Just for the record, this
test doesn't tell you whether a domain is protected (you need to do a
different test to find that out). It only tells you whether you are currently
able to benefit from the added protection when it is available.
It is worth noting that more and more domains are opting for DNSSEC protection.
I have my doubts about the testresult, what can I do?
SIDN has used all its DNS expertise to come up with the best test we could develop.
Nevertheless, we cannot guarantee that it is completely bug-free.
So, if you think a test result is wrong, we would like to hear from you.
Please contact our Registration & Service Department by e-mailing
support@sidn.nl
or calling (+31) (0)26 352 5555.
Where can I find out more about DNSSEC?
A good place to start is https://www.dnssec.nl/.
Or simply enter 'DNSSEC' into your favourite search engine.
