- August 16, 2023: New Grading & Finding Behavior sections.
- May 11, 2020: Updated description.
The DNSSEC risk vector determines if a company is using the DNSSEC protocol, which is a public key encryption that authenticates DNS servers, and then assesses the effectiveness of its configuration. The DNSSEC protocol protects against DNS spoofing, which involves diverting traffic to an attacker’s computer, creating an opportunity for loss of confidentiality, data theft, etc.
Risks
Without DNSSEC, an organization's domain can more easily be taken over allowing an attacker to appear to be that organization online and perpetrate man-in-the-middle (MITM) attacks.
Grading
See how the DNSSEC risk vector is graded.
| Concept | Behavior |
|---|---|
| Lifetime | 60 Days |
| No Findings | |
|
(Out of 70.5% in Diligence) |
Not applicable. |
Remediation
Review DNSSEC findings.
- Set up DNSSEC for your domain, including generating the appropriate keys and updating DNS zone records.
- Generate a new Zone Signing Key using the RSA or DSA algorithm, with a key of 2048 bits or more.
- Download updated trust anchors and set them to be managed automatically.
- Add your DNSKEY to your DNS records through your registrar’s management interface.
Finding Behavior
| Concept | Behavior |
|---|---|
| Refresh |
Automated: 2 Weeks User-Requested: 1 Day |
| Remediated | Not rating-impacting. The old finding is replaced by a new finding. |