What is the DNSSEC chain of trust?

The DNSSEC (Domain Name System Security Extensions) chain of trust is a verified electronic signature, or handshake, at each DNS lookup node. In other words, it is a chain of lookups validated by the domain name's digital signature that secures the request through all lookup nodes. This ensures that no rogue or illicit player can slip into the lookup path and redirect the lookup to a bogus site.

Here's an example of using your browser to visit coolexample.org:

  1. Your lookup request goes to the domain name's root server and asks for the location of .org domain names. The root server, which is DNSSEC-aware, indicates the registry for .org domain extensions, PIR.
  2. The lookup asks PIR, the .org domain name registry and currently DNSSEC-aware, for the location of coolexample.org.
  3. PIR points the lookup to the authoritative DNS server for coolexample.org. This authoritative nameserver must also be DNSSEC-aware to continue the chain.
  4. The authoritative DNS server provides the requested address to you and your computer.

From your local computer to the authoritative nameserver for the requested URL and back, a digital signature (or handshake) at each node insures that your request provides the website you requested and that the request is not intercepted by rogue operators along the way.


Помогла ли вам эта статья?
Благодарим вас за отзыв. Чтобы связаться с сотрудником службы поддержки клиентов, позвоните по номеру этой службы или воспользуйтесь опцией чата выше.
Мы рады вам помочь! У вас остались вопросы?
Приносим извинения. Расскажите нам, какие затруднения вы испытываете или почему рекомендованное решение не помогло устранить проблему.