DNSSEC and SSL: Better Together
...on behalf of Michael Lin, senior director of Trust Services
A recent flurry of media stories and blog posts has debated which technology is more crucial for online security: Domain Name System Security (DNSSEC) or Secure Sockets Layer (SSL) encryption? The very question itself indicates that confusion may still exist over what each technology does – and how they actually work best together.
DNSSEC ensures that people reach the real IP address of the websites they seek. More specifically, DNSSEC authenticates the origin and integrity of DNS data as that data traverses the Internet. The technology helps thwart man-in-the-middle attacks and DNS cache poisoning, where cybercriminals corrupt stored DNS data to direct website visitors to fraudulent sites. The Online Trust Alliance recommended organizations support of DNSSEC in their latest scorecard, which we discussed on our own blog.
DNSSEC is good at what it does but, like any technology, its scope is limited. People still need to know if the website they reached is authentic – bad guys acquire legit IP addresses all the time. They also need to know that the information they enter is encrypted, or else their confidential data will be vulnerable. That’s where SSL comes in – providing site validation and secure channels for transactions, which in turn helps provide end-to-end protection. You can learn more about the complementary relationship between DNSSEC and SSL here.
DNSSEC and SSL are two vital components of a layered approach to Internet security. When woven together, DNSSEC and SSL provide users the confidence to reliably trust they’re on the right websites and talking to the right people in a verifiably secure way.