DNSSEC is a Diligence risk vector. It determines if a company is using the DNSSEC protocol, which is a public key encryption that authenticates DNS servers, and then assesses the effectiveness of its configuration. The DNSSEC protocol protects against DNS spoofing, which involves diverting traffic to an attacker’s computer, creating an opportunity for loss of confidentiality, data theft, etc.
Risks
Without DNSSEC, an organization's domain can more easily be taken over allowing an attacker to appear to be that organization online and perpetrate man-in-the-middle (MITM) attacks.
Grading
See how the DNSSEC risk vector is graded.
Insufficient Data
A default risk vector grade is assigned if there is insufficient or no data.
No ratings impact. This risk vector does not currently affect security ratings. It is being evaluated for a period before being factored into Bitsight Security Ratings.
Lifetime
Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.
Duration: 60 Days
Weight
The DNSSEC risk vector is part of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.
Weight: Not Applicable
Remediation
Review DNSSEC findings.
- Set up DNSSEC for your domain, including generating the appropriate keys and updating DNS zone records.
- Generate a new Zone Signing Key using the RSA or DSA algorithm, with a key of 2048 bits or more.
- Download updated trust anchors and set them to be managed automatically.
- Add your DNSKEY to your DNS records through your registrar’s management interface.
Rescan Base Duration
The Bitsight platform regularly checks for new observations. Findings are rescanned as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.
Automated Scan: 2 Weeks
User-Requested Rescan: 3 days. See timeline for details.
Finding Behavior
The behavior of findings based on remediation and rescan statuses:
Remediated
- The remediated finding will stop impacting the grade. If a user-requested rescan is initiated, the rescan status is either
Remediated
orPartially Remediated
.- A new finding impacting the grade is created. If this is a result of a user-requested rescan, the rescan status is
Replacement Finding
.
Not Remediated
If a user-requested rescan is initiated and the issue persists, the rescan status is
Not Remediated
and the finding continues to impact the grade until it completes its lifetime.
- June 25, 2025: Finding behavior grouped by rescan statuses.
- March 25, 2024: “No findings/low findings” changed to “insufficient data.”
- August 16, 2023: New Grading & Finding Behavior sections.
Feedback
0 comments
Please sign in to leave a comment.