The DNSSEC risk vector determines if a company is using the DNSSEC protocol, which is a public key encryption that authenticates DNS servers, and then assesses the effectiveness of its configuration. The DNSSEC protocol protects against DNS spoofing, which involves diverting traffic to an attacker’s computer, creating an opportunity for loss of confidentiality, data theft, etc.
Risks
Without DNSSEC, an organization's domain can more easily be taken over allowing an attacker to appear to be that organization online and perpetrate man-in-the-middle (MITM) attacks.
Grading
See how the DNSSEC risk vector is graded.
Concept | Behavior |
---|---|
Duration: 60 Days |
|
A default risk vector grade is assigned. |
No ratings impact. This risk vector does not currently affect security ratings. It is being evaluated for a period before being factored into Bitsight Security Ratings. |
Percentage (out of 70.5% in Diligence): Not Applicable |
Remediation
Review DNSSEC findings.
- Set up DNSSEC for your domain, including generating the appropriate keys and updating DNS zone records.
- Generate a new Zone Signing Key using the RSA or DSA algorithm, with a key of 2048 bits or more.
- Download updated trust anchors and set them to be managed automatically.
- Add your DNSKEY to your DNS records through your registrar’s management interface.
Finding Behavior
Concept | Behavior |
---|---|
The Bitsight platform regularly checks for new observations. Bitsight findings are updated as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated. |
Automated Scan Duration: 2 Weeks User-Requested Refresh Duration: 1 Business Day |
This risk vector is not ratings-impacting. The old finding is replaced by a new finding. |
- March 25, 2024: “No findings/low findings” changed to “insufficient data.”
- August 16, 2023: New Grading & Finding Behavior sections.
- May 11, 2020: Updated description.
Feedback
0 comments
Please sign in to leave a comment.