Hostpoint recently made it possible to add a DNSSEC signature to its own domains, enabling the accuracy of DNS responses to be verified. But what exactly is DNSSEC? And what’s the point of this protection? Hostpoint explains.

Some things are hard to imagine from our present-day perspective. In the past, if you wanted to reach someone and didn’t know their phone number, often the only way of doing so was to use the directory assistance or to look in the phone book. What was for a long time the directory assistance service or the Yellow Pages in telecommunications has always been the domain name system (known as the “DNS” for short) on the internet.

On the internet, computers communicate using IP addresses. But we humans aren’t computers, and we can hardly remember the cumbersome and sometimes quite long combinations of numbers, which is why the DNS was introduced in the early 1980s (1984, to be precise).

The DNS is a decentralized database that’s distributed around the globe. When a user enters a domain, such as www.hostpoint.ch, in their browser, the DNS ensures that the correct IP address is established from the responsible DNS servers using a hierarchically arranged query process.


However, such queries are always based on trust. You have to trust that the information (e.g. IP address or responsible name servers) that the information providers are giving you is correct and has not been changed en route.

DNS queries aren’t invulnerable to abuse

Time and time again, this trust is unfortunately abused. Let’s take the example of an internet user who’d like to access their bank’s online banking page. But instead of landing on the real web page, an attacker in the DNS query process plants a fake IP address, leading the user to a fake website. This example shows why mechanisms in the DNS that can prevent such scenarios or at least detect the attempted fraud are necessary. And this is precisely where DNSSEC comes in.

DNSSEC stands for “Domain Name System Security Extensions” and works on the basis of verifiable cryptographic signatures that should ensure both the authenticity and the integrity of the queried data in the DNS. During DNS queries, these security extensions can then be used to check whether the received data is correct and unaltered.

Going back to our above example, when the user queries the online banking website’s IP address, an attacker attempts to provide them with an incorrect IP address. However, since the bank has protected its domain with DNSSEC, the unlawful attempt to provide false information can be detected and thwarted.

But there are also desirable things that DNSSEC unfortunately can’t do. While the information is indeed secured against falsification, it is not encrypted, so DNSSEC doesn’t offer additional privacy compared to an unsecured DNS.

Making the internet that little bit more secure as a domain owner

Most familiar domain extensions (top-level domains) such as .ch now support DNSSEC. It’s high time that this technology was also rolled out to the next level down in the DNS hierarchy: domains that are available for anyone and everyone around the world to purchase, such as hostpoint.ch or your-own-domain.ch.

Hostpoint would like to make a contribution here, which is why it is now offering customers the option of activating DNSSEC for their domains. It was one of the first providers in Switzerland to support security extensions for external name servers. DNSSEC can now be activated for domains on the Hostpoint name servers.

When developing and implementing this function, Hostpoint attached particular importance to the complex technical processes and interrelationships running completely automatically in the background. This means that customers don’t need to have in-depth prior technical knowledge or to create comprehensive configurations to activate DNSSEC. Activation is extremely easy and can be performed at the touch of a button in the Hostpoint Control Panel, provided that the corresponding domain is already running on the Hostpoint name servers.

Additional interesting info:
The DNSViz web tool can be used to visualize any domain’s signature status. The entire chain of evidence for the hierarchical signature process can be traced for DNSSEC-protected domains.


Hostpoint customers who’d like to activate DNSSEC for their domains should click here:
To my domains

Register domains now – it’s extremely easy at Hostpoint:
Buy a domain

Anyone who’d like to transfer their domains to Hostpoint can do so here:
Domain transfer

Making the internet that little bit more secure with DNSSEC

Mauro Landolt

Communications & PR Manager

0