Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

DNSSEC Risk Vector

Ingrid

DNSSEC is a Diligence risk vector. It determines if a company is using the DNSSEC protocol, which is a public key encryption that authenticates DNS servers, and then assesses the effectiveness of its configuration. The DNSSEC protocol protects against DNS spoofing, which involves diverting traffic to an attacker’s computer, creating an opportunity for loss of confidentiality, data theft, etc.

See data collection methods.

Risks

Without DNSSEC, an organization's domain can more easily be taken over allowing an attacker to appear to be that organization online and perpetrate man-in-the-middle (MITM) attacks.

Grading

See how the DNSSEC risk vector is graded.

Insufficient Data

A default risk vector grade is assigned if there is insufficient or no data.

Default: grade-c-no-impact.png

No ratings impact. This risk vector does not currently affect security ratings. It is being evaluated for a period before being factored into Bitsight Security Ratings.

Lifetime

Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.

Duration: 60 Days

Weight

The DNSSEC risk vector is part of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.

Weight: Not Applicable

Remediation

Review DNSSEC findings.

  • Set up DNSSEC for your domain, including generating the appropriate keys and updating DNS zone records.
  • Generate a new Zone Signing Key using the RSA or DSA algorithm, with a key of 2048 bits or more.
  • Download updated trust anchors and set them to be managed automatically.
  • Add your DNSKEY to your DNS records through your registrar’s management interface.

Rescan Base Duration

The Bitsight platform regularly checks for new observations. Findings are rescanned as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.

Automated Scan: 2 Weeks

User-Requested Rescan: 3 days. See timeline for details.

Finding Behavior

The behavior of findings based on remediation and rescan statuses:

Remediated

  • The remediated finding will stop impacting the grade. If a user-requested rescan is initiated, the rescan status is either Remediated or Partially Remediated.
  • A new finding impacting the grade is created. If this is a result of a user-requested rescan, the rescan status is Replacement Finding.

Not Remediated

If a user-requested rescan is initiated and the issue persists, the rescan status is Not Remediated and the finding continues to impact the grade until it completes its lifetime.

  • June 25, 2025: Finding behavior grouped by rescan statuses.
  • March 25, 2024: “No findings/low findings” changed to “insufficient data.”
  • August 16, 2023: New Grading & Finding Behavior sections.

Related articles

Feedback

0 comments

Please sign in to leave a comment.