How does the DNS work?
Let's take a step back. The internet functions using the Domain Name System (DNS). This system consists of name servers which process requests for websites and email. An often used analogy is with a phone book: Based on a name, you find the corresponding number, be it a phone number or an IP-adress. When you request a domain that is registered at Greenhost in your browser, you will receive an IP-adress through your Internet Server Provider (ISP, for example AT&T, AOL or KPN) and several name servers. Using this IP-adress your browser will contact Greenhost's webservers. Greenhost then sends back the website data to your browser, via your ISP. All of this happens in an instant.
What DNSSEC prevents
It is well documented that the Domain Name System has its security vulnerabilities. DNS information can be intercepted (Man-in-the-Middle) and altered (DNS spoofing). Without your noticing, someone swaps your phonebook or alters some numbers. As there is no way of verifying the number you received, you may be directed to the wrong webserver. This way, criminals or fraudulent institutions are able to alter internet traffic to lure unsuspecting users into phishing or malware scams. DNSSEC largely prevents this from happening.
How does DNSSEC work?
The authenticity of DNS information can be verified using DNSSEC. When requesting an IP-adress, your ISP receives a key along with this IP-adress. Your ISP can verify this key by comparing it with the key which is held by the TLD administrator. For example, the public keys for .nl domains can be found on the servers of SIDN. In this way you can be sure that your ISP makes a connection to the correct webserver.
The limitations and the future of DNSSEC
Unfortunately, the traffic between your ISP and your browser is not yet readily secured. Therefore it is still advised not to do for example your online banking while using a public WiFi spot. However, DNSSEC does open up possibilities for browser implementations which may warn users against DNS spoofing attacks in the future. This development is still onging, this Firefox plugin for example makes a serious attempt.
Check your domain name
Would you like to know for certain if your own domain name has DNSSEC enabled? Check your domain name here.
Want to know more about DNSSEC?
Are you interested in the technical details of DNSSEC? Then take a look at the ICANN DNSSEC page.