DNSSEC (DNS Security Extensions) authenticates DNS answers to block forgeries and is the basis for DANE e‑mail security. Google Cloud DNS can use DNSSEC to sign the managed zones for your domains. But until you add a DS (Delegated Signer) record for your
example.com domain to its .COM top-level domain (TLD) registry, DNS resolvers can’t verify DNSSEC.
This tutorial is for DNS domain administrators using Google Cloud DNS who have enabled DNSSEC on the managed zones for their domains. It shows how to activate DNSSEC validation for those domains by adding DS records through their domain registrars. The specifics depend on the domain registrar, and this does not give detailed instructions for all domain registrars. It does have basic instructions and links for the most popular registrars and many others that support DNSSEC.
How does it work?
Similar to HTTPS, DNSSEC adds a layer of security by enabling authenticated answers on top of an otherwise insecure protocol. Whereas HTTPS encrypts traffic so nobody on the wire can snoop on your Internet activities, DNSSEC merely signs responses so that forgeries are detectable. DNSSEC provides a solution to a real problem without the need to incorporate encryption.
SUPERname’s goal is to make it as easy as possible to enable DNSSEC. Right now, customers with SUPERname paid plans can add DNSSEC to their web properties by flipping a switch to enable DNSSEC and uploading a DS record (which we’ll generate automatically) to their registrar. Learn more about how to get DNSSEC.
We’ve also published an Internet Draft outlining an automated way for registries and registrars to upload DS records on behalf of our customers. This will enable SUPERname to automatically enable DNSSEC for our entire community.
We utilize greylisting and highly reputable blacklists to curb over 95% of spam. You won’t have to worry about a backdoor for spam getting to your mail server by using our backup mx service.
However, these RRSIG records are useless unless DNS resolvers have a way of verifying the signatures. The zone operator also needs to make their public ZSK available by adding it to their name server in a DNSKEY record.
When a DNSSEC resolver requests a particular record type (e.g., AAAA), the name server also returns the corresponding RRSIG. The resolver can then pull the DNSKEY record containing the public ZSK from the name server. Together, the RRset, RRSIG, and public ZSK can validate the response.
If we trust the zone-signing key in the DNSKEY record, we can trust all the records in the zone. But, what if the the zone-signing key was compromised? We need a way to validate the public ZSK.
In addition to a zone-signing key, DNSSEC name servers also have a key-signing key (KSK). The KSK validates the DNSKEY record in exactly the same way as our ZSK secured the rest of our RRsets in the previous section: It signs the public ZSK (which is stored in a DNSKEY record), creating an RRSIG for the DNSKEY.
Just like the public ZSK, the name server publishes the public KSK in another DNSKEY record, which gives us the DNSKEY RRset shown above. Both the public KSK and public ZSK are signed by the private KSK. Resolvers can then use the public KSK to validate the public ZSK.
Validation for resolvers now looks like this:
- Request the desired RRset, which also returns the corresponding RRSIG record.
- Request the DNSKEY records containing the public ZSK and public KSK, which also returns the RRSIG for the DNSKEY RRset.
- Verify the RRSIG of the requested RRset with the public ZSK.
- Verify the RRSIG of the DNSKEY RRset with the public KSK.
Anycast DNS & Its Working
In anycast, a collection of servers share the same IP address and send data from a source computer to the server that is topographically the closest. This helps cut down on latency and bandwidth costs, improves load time for users, and improves availability. It is important to remember that topographically closer does not inherently mean geographically closer, though this is often the case.
Anycast is linked with the BGP protocol which ensures that all of a router’s neighbors are aware of the networks that can be reached through that router and the topographical distance to those networks. The main principle of anycast is that an IP address range is advertised in the BGP messages of multiple routers. As this propagates across the Internet, routers become aware of which of their neighbors provides the shortest topographical path to the advertised IP address.
Advantages of Anycast DNS
Anycast is easy to configure. You have just one IP that is assigned to every server, no matter where they are in the world. In more traditional DNS solutions, you would have to configure for every location separately.
High availability. As we said before, the router will redirect the user to the closest server, but if the server is down, it will simply redirect to one of the rest. They all have a mirror image of the same DNS records, if one is down, the closest next will get the load. The users won’t even notice it.
Scaling. Anycast DNS is very easy to put in practice. Imagine you are getting too much load on a particular server, what do you do? You just deploy one more server in the area where you need it. It is easy to set it up, and you can do it very quickly. This is one of the common ways how we are expanding our Anycast network.
To take advantage of our Premium Anycast DNS service, just go to our page and choose the best plan for you. Our Anycast network consists of 21 Data Centers on six continents, and we also offer Anycast DDoS protected DNS servers and Anycast GeoDNS servers.
Think about your needs, and if you are not sure what to choose, you can always contact our customer service for help.
There are two common schemes which are used to determine to which server, the user gets connected.
Network Layer Anycast. This is directing the user through the routers to the closest server. Here the important is the network path from the user to the server.
Application Layer Anycast. In this scheme, there are a lot more calculations: availability of the server, time to response, number of connections, etc. It depends on an external monitor, that provides the statistic of the network.
- 1 Domain
- up to 50 Subdomains
- 1 Domain
- up to 120 Subdomains
- 1 Domain
- up to 150 Subdomains