DNSSEC Risk Vector Ingrid DNSSEC is a Diligence risk vector. It determines if a company is using the DNSSEC protocol, which is a public key encryption that authenticates DNS servers, and then assesses the effectiveness of its configuration. The DNSSEC protocol protects against DNS spoofing, which involves diverting traffic to an attacker’s computer, creating an opportunity for loss of confidentiality, data theft, etc.See data collection methods.RisksWithout DNSSEC, an organization's domain can more easily be taken over allowing an attacker to appear to be that organization online and perpetrate man-in-the-middle (MITM) attacks.GradingSee how the DNSSEC risk vector is graded. Insufficient Data A default risk vector grade is assigned if there is insufficient or no data. Default: No ratings impact. This risk vector does not currently affect security ratings. It is being evaluated for a period before being factored into Bitsight Security Ratings. Lifetime Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period. Duration: 60 Days Weight The DNSSEC risk vector is part of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings. Weight: Not Applicable RemediationReview DNSSEC findings. Set up DNSSEC for your domain, including generating the appropriate keys and updating DNS zone records. Generate a new Zone Signing Key using the RSA or DSA algorithm, with a key of 2048 bits or more. Download updated trust anchors and set them to be managed automatically. Add your DNSKEY to your DNS records through your registrar’s management interface. Rescan Base DurationThe Bitsight platform regularly checks for new observations. Findings are rescanned as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.Automated Scan: 2 WeeksUser-Requested Rescan: 3 days. See timeline for details.Finding BehaviorThe behavior of findings based on remediation and rescan statuses: Remediated Not Remediated Remediated The remediated finding will stop impacting the grade. If a user-requested rescan is initiated, the rescan status is either Remediated or Partially Remediated. A new finding impacting the grade is created. If this is a result of a user-requested rescan, the rescan status is Replacement Finding. Not Remediated If a user-requested rescan is initiated and the issue persists, the rescan status is Not Remediated and the finding continues to impact the grade until it completes its lifetime. June 25, 2025: Finding behavior grouped by rescan statuses. March 25, 2024: “No findings/low findings” changed to “insufficient data.” August 16, 2023: New Grading & Finding Behavior sections. Related articles How is the DNSSEC Risk Vector Assessed? Web Application Security Risk Vector How is the Web Application Headers Risk Vector Assessed? Understanding the DMARC Risk Vector and how it affects your Bitsight Rating What is a Finding Lifetime? Feedback 0 comments Please sign in to leave a comment.