What are the potential adverse consequences of enabling DNSSEC?

Key findings

• Performance overhead: DNSSEC introduces an extra layer of validation and larger DNS responses due to additional cryptographic fields. This can potentially increase DNS lookup times and impact the performance of online services, including email sending.
• Increased complexity: Managing signed zones and DNSSEC keys adds administrative burden. Misconfigurations, such as incorrect key rollovers or expired signatures, can lead to validation failures, making domains appear inaccessible to users with validating resolvers. This complexity highlights why some organizations hesitate to enable DNSSEC.
• Outage risk: Partial or complete outages can occur if DNSSEC is misconfigured. Validating resolvers will refuse to provide answers for domains with broken DNSSEC, leading to service disruption. Slack, for example, experienced an outage related to a DNSSEC rollout issue involving wildcard records on Amazon Route 53.
• DDoS amplification risk: The larger DNSSEC responses can be exploited in DDoS amplification attacks, where attackers send small queries that trigger large responses, overwhelming targets. Imperva provides further information on DNSSEC and DDoS amplification on their website about DNSSEC.
• Reputational impact: If a domain's DNSSEC implementation is flawed, users whose resolvers validate DNSSEC may find the domain unreachable, potentially driving away traffic and damaging reputation. This can be especially problematic for email deliverability if recipients' mail servers validate DNSSEC for sender domains, potentially causing increased DNS failure and hard bounces.

Key considerations

• Robust DNS system support: Ensure your DNS hosting provider offers robust and well-integrated DNSSEC support, simplifying zone signing and key management to minimize operational pain points.
• Operational procedures: Establish clear procedures for DNSSEC key rollovers and emergency recovery, including how to disable DNSSEC if issues arise. This mitigates the risk of extended outages.
• Impact on email authentication: While DNSSEC secures the DNS itself, it indirectly supports email authentication mechanisms like SPF, DKIM, and DMARC by ensuring the integrity of the DNS records they rely on. However, misconfigured DNSSEC can break these records, leading to deliverability issues. For comprehensive email authentication, it's also important to understand the basics of DMARC, SPF, and DKIM.
• Risk assessment: Evaluate the specific risks to your organization versus the added security benefits. For some, the benefits of preventing DNS spoofing may outweigh the operational complexities.
• TLS validation: For many web services, Transport Layer Security (TLS) provides end-to-end encryption and validation, mitigating some risks that DNSSEC addresses, particularly for HTTP-based services.

Key opinions

• Perceived low urgency: Many marketers, particularly from older organizations, note that DNSSEC was not an option when their domains were initially set up, or that some DNS hosts charge for it, leading to a lack of adoption.
• Complexity vs. benefit: While acknowledging the security benefits, marketers often weigh them against the increased administrative complexity and potential for issues. If a feature isn't a simple 'on-off switch,' it can be daunting.
• Focus on deliverability: Marketers prioritize factors directly impacting email deliverability, such as sender reputation and inbox placement, over backend DNS security, unless DNSSEC directly causes issues.
• Impact on user experience: The primary concern for marketers is how any technical change might affect user access to their website or emails, potentially driving users away if services appear broken.

Key considerations

• Cost-benefit analysis: Marketers should consider the operational costs and potential for disruption versus the enhanced security, especially if their DNS provider charges for DNSSEC.
• Hidden impacts: While DNSSEC doesn't directly interact with email, a misconfigured DNSSEC can cause DNS resolution failures, which can then negatively impact email delivery by preventing mail servers from resolving your domain's nameservers.
• Vendor support: The ease of implementation often depends on the DNS provider. Marketers should check if their provider offers a simple, automated process for DNSSEC or if it requires manual configuration prone to errors.
• Security vs. reach: The decision to enable DNSSEC requires balancing enhanced security against the slight risk of making a domain unreachable to a small percentage of users with problematic resolvers. SIDN notes that many of the biggest internet services are not DNSSEC-enabled, partly due to the overhead and reputational risk.

Key opinions

• Increased complexity and failure points: DNSSEC adds an extra layer of lookups and administration, increasing the potential for things to go wrong. Broken DNSSEC can lead to queries failing if resolvers are validating.
• Operational pain points: While signing zones can be trivial with good DNS system support, it becomes operationally painful and risky without it. This can lead to partial outages.
• Misattributed issues: Some DNSSEC-specific issues are quickly blamed on the protocol's design, even though simple typos in zone files can cause similar or worse widespread DNS problems.
• Limited upside for web: For web services, much of what DNSSEC protects against is also validated by TLS, diminishing its unique upside in certain contexts. However, this doesn't fully apply to all DNS-dependent services, including email deliverability.
• Manageable risks: Despite potential issues, DNSSEC is generally considered manageable and worthwhile for most, especially if DNS providers simplify the process. Many organizations successfully implement it for hundreds of domains.

Key considerations

• Distinguish DNSSEC roles: It's important to differentiate between publishing signed zones and enabling DNSSEC checking at resolvers. Both can cause issues if not handled correctly.
• Toolchain importance: A robust toolchain for DNSSEC management, including verification at each step, is critical. Understanding how to recover from a bad configuration is also essential.
• Outbound vs. authoritative zones: For email, you can enable DNSSEC on outbound traffic without necessarily signing your authoritative DNS zones, offering a flexible approach to adoption.
• DNS records and deliverability: While DNSSEC secures DNS, improper handling of DNS records can still lead to deliverability issues. This includes common problems like DKIM key issues or overstuffed SPF records.
• Gradual adoption: Given the complexities, a phased approach to DNSSEC implementation may be beneficial, allowing for testing and adjustments.

Key findings

• Protects against DNS spoofing: DNSSEC is designed to prevent cache poisoning and other forms of DNS data tampering by adding cryptographic signatures to DNS records. This ensures data integrity and authenticity. Cisco Umbrella details its importance.
• Adds validation overhead: DNSSEC introduces additional steps in DNS resolution, as resolvers must validate cryptographic signatures. This process can increase query latency and resource consumption.
• Requires proper key management: The security of DNSSEC relies on the proper management and regular rollover of cryptographic keys. Failure to do so can lead to signature expiration and validation failures, rendering domains unreachable.
• Increased DNS response size: DNSSEC records (e.g., DNSKEY, RRSIG, NSEC, NSEC3) significantly increase the size of DNS responses. This can impact network performance and potentially contribute to DNS reflection/amplification DDoS attacks.
• Compatibility issues: While DNSSEC is widely supported, some legacy DNS resolvers or network configurations might not properly handle DNSSEC-signed responses, leading to resolution failures for end-users. This highlights a need for careful rollout and monitoring.

Key considerations

• Operational maturity: Organizations must have mature DNS management practices and tools in place to handle DNSSEC. Automated key rollovers and validation processes are crucial to avoid manual errors and outages.
• Monitoring and alerting: Continuous monitoring of DNSSEC validation status and DNS resolution performance is essential. Alerts for signature expiration or validation failures can prevent widespread outages.
• DNS provider capabilities: Choose a DNS provider that offers robust, automated DNSSEC support and guidance. This simplifies implementation and reduces the risk of human error when publishing DNS records.
• Impact on email infrastructure: While DNSSEC directly secures DNS queries, its misconfiguration can inadvertently affect email deliverability by making sender domains unreachable or causing authentication failures. Comprehensive email authentication relies on properly configured DNS records.