Domain Name System Security Extensions (DNSSEC) is a protocol that adds security to the Domain Name System (DNS) by verifying name server responses in what is called a “chain of trust”, thereby making the DNS more secure.
.eu implemented DNSSEC on 9 June 2010 and is one of the first TLDs to have a complete DNSSEC chain of trust. This is important because validation occurs all the way up to the Internet root zone and means that anyone visiting a DNSSEC-enabled .eu domain name can be confident of its legitimacy.
Since DNSSEC can only reach its full potential once it has been adopted for all domain names, we want to make it as easy as possible for our registrars to implement the protocol. That’s why we introduced a DNSSEC Signing Service (DSS) that allows our registrars to enjoy all of the advantages of DNSSEC with none of the hassle.
DNSSEC prevents attackers from intercepting web traffic and redirecting it to fake websites that can trick people into supplying personal information, such as a counterfeit Internet banking site that looks like the real thing.
This kind of traffic interception can also be caused by cache-poisoning attacks and DNSSEC can prevent a cache-poisoning attack from succeeding.
Digital signatures are attached to DNS data – a process known as signing – so the origin and integrity of the DNS data can be verified as it crosses the Internet. All name servers used to look up DNS data (such as a website IP address or an email server location) check the validity of the signed data responses, preserving trust throughout the hierarchy for website owners and users.
A chain of trust is established by validating each layer of the hierarchy from the bottom up, so the trustworthiness of one layer is guaranteed by the layer above.
For a technical background on DNSSEC and information about deployment uptake, there are two .eu Insights reports available for download from http://link.eurid.eu/insights.
This service signs .eu domain names with the DNSSEC protocol and takes care of the recurring tasks that are required to maintain it. If you want to protect your website, ask your registrar to enable DNSSEC for your domain name.