How is the DNSSEC Risk Vector Assessed?

⇤ How is the Diligence Risk Category Calculated?

For the DNSSEC risk vector, we look at a variety of criteria when determining the effectiveness of a Domain Name System Security Extensions (DNSSEC) record. Without DNSSEC configured, some data from the DNS server may not be secure.

Though DNSSEC is not standard in the industry, this risk vector is evaluated since DNSSEC protects DNS resolvers from receiving bad data by using public key encryption to sign domains or other zones to ensure authenticity of records. In short, this technology helps to protect everyday users from malicious redirects when looking up domain names. Refer to the list of registrars that support end-user DNSSEC management.

• ⬇️ Finding Grading
• ⬇️ Messages

Finding Grading

DNSSEC findings are evaluated and then graded as GOOD, WARN, BAD, or NEUTRAL. 

Messages

Each issue has a message shown in the platform as an individual entry, along with the associated IP address. For instance, “DSA public key is less than 2048 bits.” The text in the remediation column is also available in the platform. Remediation is guidance on how to resolve the issue so that it no longer adversely impacts the organization's Bitsight Security Rating. Click the links below to learn more about finding messages.

• GOOD
  In order to be graded as GOOD, the domain should have DNSSEC enabled and should be properly configured. The certificate must adhere to the following rules:
  • It must be encrypted using a secure hash algorithm with a sufficiently long key.
  • It must have a validated chain of trust.
• WARN
  The presence of these issues moderately impacts an organization's Bitsight Security Rating. They should be remediated as soon as possible.
• BAD
  The presence of these issues severely impacts an organization's Bitsight Security Rating. They should be remediated as soon as possible.
• NEUTRAL
  These issues don't affect an organization's Bitsight Security Rating.