The Longstanding Problem
The domain name system (DNS) is the phone book of the Internet: it tells computers where to send and retrieve information. Unfortunately, it also accepts any address given to it, no questions asked.
Email servers use DNS to route their messages, which means they’re vulnerable to security issues in the DNS infrastructure. In September 2014 researchers at CMU found email supposed to be sent through Yahoo!, Hotmail, and Gmail servers routing instead through rogue mail servers. Attackers were exploiting a decades-old vulnerability in the Domain Name System (DNS)—it doesn’t check for credentials before accepting an answer.
The Solution
DNSSEC is essential for protecting domain names as it strengthens authentication in DNS using digital signatures based on public key cryptography. It establishes a “chain of trust” that starts from the root of the Internet and proves that every TLD (e.g. .com) all the way to your domain is provably secure. This means that no ISP, government or other agency can pretend to be you, and that the information retrieved using DNS lookups is exactly what you put into your DNS host. Correspondingly, if your domain stays unsigned, all these bad things can happen to your domain.
How safe is my domain ?
To test if your domain is DNSSEC signed and protected against the 2014 attack, try the Cyber Security Agency of Singapore (CSA) Internet Hygiene Portal – at this point, if your score is below 90%, chances are that it is not signed (search for DNSSEC in the results page). Based on the composite scoring of the site, signing your zone accounts for 13% of the score for email and 16% for websites, so adopting DNSSEC alone won’t get you to 100%, but it will definitely get you a lot closer to it from where you are now.
Annual Rotation
Public key encryption needs to strike a balance between performance and security – keys need to be strong enough to keep the bad guys out but fast enough to be used regularly in all use cases (web surfing, sending email, etc). As such, the recommendation is to “roll” your keys regularly. In the case of DNSSEC, there are two sets of keys – one called the Key Signing Key (KSK) that is stored in your parent zone, which we roll once every five years and another called the Zone Signing Key (ZSK) that we roll once a year. Rolling means having both your old key and new key sign every record in parallel until your old key has expired in every DNS cache in the world.
What it costs
If your Domain is registered thru Lightspeed and your domain hosting is Managed by Lightspeed, then it’s just $100 to implement and $50 a year to manage the key rolls. However, if you are one of the first 250 Singapore (.sg, .com.sg) domains who have renewed/transfered in/purchased a domain from Lightspeed, and checked the box for DNSSEC during our 25th Anniversary promotion period (ended 31 Mar 2023) , then both the implementation fee and annual fee are waived for as long as the domain remains registered and hosted with us. For Singapore domains registered or transferred in from 1 April 2024, the implementation and annual fees are waived for the first invoice (2 years maximum term based on SGNIC’s current limits).