DNSSEC Risk Vector: Core Overview

DNSSEC is a Diligence risk vector. It determines if a company is using the DNSSEC protocol, which is a public key encryption that authenticates DNS servers, and then assesses the effectiveness of its configuration.

While not an industry standard, the DNSSEC risk vector is assessed because it secures DNS resolvers against forged data. By employing public key encryption to sign zones and domains, this technology verifies record authenticity and shields users from malicious redirects during domain name lookups. For more information, see this list of registrars that support end-user DNSSEC management.

What is DNSSEC?

Domain Name System Security Extensions (DNSSEC) protect users from malicious redirects by using public key encryption to sign DNS records. This ensures that the data your DNS resolver receives is authentic and has not been tampered with. 

How are DNSSEC Findings Graded?

BitSight evaluates DNSSEC based on the strength of the encryption and the validity of the trust chain. Click here to learn more about specific DNSSEC Finding and how they affect your Bitsight rating.

Where can I see my DNSSEC findings?

• SPM App: Findings ➔ Findings Table
• CM App: Companies List ➔ Vendor Risk ➔ Findings
• Insurance: Companies List ➔ Client Risk ➔ Findings
• API: GET /v1/companies/company_guid/findings?risk_vector=dnssec

Findings Details Data Glossary

• Flags: This flag indicates whether this NSEC3 record can cover unsigned delegations.
• Hash Algorithm: The cryptographic algorithm used to generate the hash.
• Next Hash: The hashed owner name immediately following the requested record.
• Previous Hash: The hashed owner name immediately preceding the requested record.
• Record Hash: The hash of the requested record.
• Record Type: The type of record returned for this domain.
• Salt: The value appended to the domain name before the hash is calculated.
• Types: The DNS record of the original owner.