How is the DNSSEC Risk Vector Assessed? Ingrid ⇤ How is the Diligence Risk Category Calculated?For the DNSSEC risk vector, we look at a variety of criteria when determining the effectiveness of a Domain Name System Security Extensions (DNSSEC) record. Without DNSSEC configured, some data from the DNS server may not be secure.Though DNSSEC is not standard in the industry, this risk vector is evaluated since DNSSEC protects DNS resolvers from receiving bad data by using public key encryption to sign domains or other zones to ensure authenticity of records. In short, this technology helps to protect everyday users from malicious redirects when looking up domain names. Refer to the list of registrars that support end-user DNSSEC management. ⬇️ Finding Grading ⬇️ Messages Concept Behavior Insufficient Data A default risk vector grade is assigned. Default: No ratings impact. This risk vector does not currently affect security ratings. It is being evaluated for a period before being factored into Bitsight Security Ratings. Lifetime The number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. Duration: 60 Days Weight Percentage (out of 70.5% in Diligence): Not Applicable Finding GradingDNSSEC findings are evaluated and then graded as GOOD, WARN, BAD, or NEUTRAL. MessagesEach issue has a message shown in the platform as an individual entry, along with the associated IP address. For instance, “DSA public key is less than 2048 bits.” The text in the remediation column is also available in the platform. Remediation is guidance on how to resolve the issue so that it no longer adversely impacts the organization's Bitsight Security Rating. Click the links below to learn more about finding messages. GOODIn order to be graded as GOOD, the domain should have DNSSEC enabled and should be properly configured. The certificate must adhere to the following rules: It must be encrypted using a secure hash algorithm with a sufficiently long key. It must have a validated chain of trust. WARNThe presence of these issues moderately impacts an organization's Bitsight Security Rating. They should be remediated as soon as possible. BADThe presence of these issues severely impacts an organization's Bitsight Security Rating. They should be remediated as soon as possible. NEUTRALThese issues don't affect an organization's Bitsight Security Rating. December 19, 2025: Language clarified around Finding Grade Messaging. March 25, 2024: “No findings/low findings” changed to “insufficient data.” December 12, 2023: Linked to no findings definition. December 4, 2023: Finding lifetime definition link changed to Finding Lifetime section. Related articles DNSSEC Finding Messages DNSSEC Risk Vector How is the Mobile Application Security Risk Vector Assessed? How is the Web Application Headers Risk Vector Assessed? How is the Mobile Software Risk Vector Assessed? Feedback 0 comments Please sign in to leave a comment.