Introduction to DNSSEC

Anyone who supposes that Internet payments, sending of personal data or sensitive information in the electronic world are absolutely secure today, is wrong. To avoid inconvenience to the website or domain users, they need to be adequately secured.

The most effective way to protect domains is to add an extra level of security, known by the acronym DNSSEC – Domain Name System Security Extensions. Adding it to a domain is easy, just ask your Authorised Registrar (more information below).

What is it?

It is a system that prevents hackers from redirecting a user to the wrong web address and in this way to obtain sensitive data, which can be subsequently misused.

How does it work?

Imagine entering your bank’s address into the address bar of the browser (e.g. www.bank.sk). In this form it is visible just for us – users. The Domain Name System (or DNS for short) provides a „translation“ of this form of address into a computer-readable form (it means IP address e.g. „120.14.7.7“) – because the browser searches for the requested page based on the IP address.

In that short time, while the DNS is „translating“ the domain into an IP address, sensitive data may be redirected, stolen or misused. So you may appear on a seemingly identical page, but in reality it is not so. Even the address bar in the browser looks the same like you entered it there.

Thus, the average user does not have a chance to recognize that his device is under attack.

Why DNSSEC?

Because only thanks to the DNSSEC system can the web browser check if the address has not been changed somewhere along the way (during the „translation“) by the attackers. By applying DNSSEC, you will secure the website throught the so-called encryption key, thanks to which the user „lands“ where he should appear and will not be redirected to a fake address.

After all you don’t want the users of your website to end up in the hands of scammers!

dnssec picture upgrade EN

Video

For a better understanding of DNSSEC, watch the video (in Slovak language with English subtitles).

How do I know if a domain has DNSSEC?

For detailed verification of DNSSEC it is possible to use e.g. the https://dnsviz.net/ service.

After loading this website simply write the domain to the search box, including the .sk extension, and the system will provide all available data to you. Red color and also an alert icon will alarm you that the domain is not secured by the DNSSEC service.

In some web browsers, there may also be available an extension that allows you to view similar information directly through the browser.

Where can I get it for my domain?

You can ask for DNSSEC through an Authorised Registrar of your domain, because each Registrar has this service available in the SK-NIC system. If you do not know who is the Authorised Registrar of your domain, you can find it on our website on the right in the „Search Domain“ section or by using the WHOIS service.

DNSSEC Statistics for .sk

We introduced DNSSEC in April 2019. On the Virtuálnô.sk portal, in the graphs section, you can see how the number of .sk domains secured by the DNSSEC service has grown.

What is the technology behind DNSSEC?

And now more technically – DNSSEC is the set of technical specifications for the Domain Name System (DNS) which provide the DNS client with verification proving that the data received from the DNS server are authentic.

DNSSEC is using asymmetric encryption – one key for encryption and another one for decryption. Similar principle is being used for encryption and electronic signing of emails (OpenPGP, S/MIME). Holder of the domain that uses DNSSEC generates pair of keys – one private key and one public key (or its registrar provides these keys). Technical details of the domain are subsequently electronically signed by the private key. Public key, stored with the superior authority of the domain, is then used for verification of the authenticity of the technical data through verification of the validity of this signature via the entire hierarchy of the superior signatures all the way to the root one.

After launch of DNSSEC, the technical data of the top level domain .sk will be signed and registry manager SK-NIC, a.s. will hand over the public key to this signature to its own superior authority – to the worldwide manager of the root servers of DNS. This will create hierarchy which will ensure credibility of the data as long as it is not breached at any point, i.e. unless there are errors or misconfigurations, and thus providing that all electronic signatures are all right.

Security Bottlenecks of DNS

Infrastructure of DNS (abbreviation from Domain Name System) provides translation of the domain names into IP addresses and vice versa, but by design it does not have any protection against spoofing of the false data within this communication. For example, if the address “www.sk-nic.sk” is entered into a browser, it can be modified within system communication to a false IP address, while the address line of the browser still displays “www.sk-nic.sk”, hence user will not normally notice, that the browser has displayed a false website in reality. Standard protection via HTTPs won’t necessarily be sufficient in this case, because the HTTPs certificate might not be issued by a trustworthy authority and the DNS communication also runs across a different layer of communication. On the contrary, DNSSEC is trustworthy in such a case, since DNSSEC has its own verification of authenticity, the DNS manager is controlled in various ways and it is not created arbitrarily as is the case with the commercial certification authorities.

In time of creation of the DNS system at the beginning of 80-ties, there was no special attention paid to the security mechanisms of this protocol. Computers of that time were significantly less powerful, asymmetric cryptography (using pair of public and private keys) was still just a new concept and global computer network was significantly smaller with relatively lower number of interconnected people and institutions who mutually knew each other. Over the past 30 years, the use of internet increased dramatically and the DNS protocol became vulnerable, which required creation and use of additional security mechanisms.

There are several major security risks of the DNS system:

DNS hijacking: Computer is opening the website using the IP address provided upon the query to the DNS server. In the case of DNS hijacking, the attacker changes the DNS settings of the computer in such a way, that whenever the computer sends DNS query for IP address translation, instead of the authentic DNS of the internet provider the computer is connected to the false DNS server controlled by the attacker. Such an attack usually occurs if there is a malicious code infection within the computer, e.g. DNS altering trojan. The malicious code changes the DNS settings and replaces address of the authentic DNS server by the address of the malicious server after it infects the computer. As a result, the affected computer would not receive the correct IP address of the requested webpage, but the malicious IP address which is directing the user’s traffic to the website of the attacker and the web browser thus displays a malicious website.

DNS Cache Poisoning: By DNS cache poisoning we call a situation when instead of the authentic record, malicious data are stored in the cache memory of a computer. For example, if we enter website “sk-nic.sk” for the first time, our computer will send the DNS query to the corresponding DNS server and its answer is stored in DNS cache memory together with the time stamp specifying how long this record is valid. If during this time period we again enter “sk-nic.sk”, our computer will not be asking the DNS server, but will retrieve IP address from the DNS cache memory. In the case of cache poisoning, DNS attackers are using malicious tricks in order to force the computer to save false DNS records containing IP addresses of malicious websites controlled by the attackers. It’s obvious what can happen once these are used.
Electronic mail: When email messages are being sent from one server to another, the email servers are sending DNS query along in order to receive IP addresses of the email servers corresponding to the email addresses of the recipients. In this case, the attackers can utilize their malicious methods to force email servers to redirect all or selected electronic mail to the servers of the attacker, whereas attackers can subsequently obviously read all the (sensitive) data contained in the email.

However, this list of security risks is not exhausting, there exists other threats as well.

DNSSEC helps to secure against these as well as other forms of attack.

The policy of cookies used on our websites

Updated on October 10th, 2023

These websites use cookies to enhance the user experience.

Cookie files are stored in your browser only if categorized as necessary for the basic functionalities of our website.
We also currently use certain third-party cookies to help us analyze and understand how our websites are used. Your consent is required for these cookies and you can choose to reject them.

However, please note that rejecting these cookies may affect your browsing experience and disable some additional settings and content.
Cookies are a useful tool. If you distrust the functionality of cookies, you can delete them from your device at any time at your discretion, and you have full control over their management. Misuse typically occurs on websites with questionable or illegal nature.
Details on how to do this can be found, for example, on the website aboutcookies.org. Similarly, you can configure most browsers to prevent the storage of cookies.

For simplicity, we provide links to some guides on how to delete cookies based on different internet browsers:

Safari: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac
Opera: https://www.opera.com/help/tutorials/security/privacy/
Mozilla Firefox: https://support.mozilla.com/sk/kb/odstranenie-cookies
Google Chrome: https://support.google.com/chrome/answer/95647?hl=sk&hlrm=en

Necessary

Always Enabled

Necessary cookie files are essential for the proper functioning of the website. These files anonymously secure basic functions and security elements of the website.

Cookie	Duration	Description
__cf_bm	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare's bot management.
_wpfuuid	1 year 1 month 4 hours	This cookie is used by the WPForms plugin for WordPress. The cookie enables the paid version of the plugin to connect entries from the same user and is used for additional features, such as the Form Abandonment addon.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user's consent for cookie usage in the 'Advertisement' category.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user's consent for cookie usage in the 'Analytics' category.
cookielawinfo-checkbox-functional	1 year	The GDPR Cookie Consent plugin sets this cookie to record the user's consent for cookie usage in the 'Functional' category.
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user's consent for cookie usage in the 'Necessary' category.
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores the user's consent for cookies in the 'Other' category.
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores the user's consent for cookie usage in the 'Performance' category.
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state for the relevant category and the CCPA status. It works only in conjunction with the primary cookie.
rc::a	never	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
rc::c	session	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
wpEmojiSettingsSupports	session	WordPress sets this cookie when the user interacts with emojis on a WordPress-built website. It helps determine if the user's web browser can properly display emojis.

Technical cookies are also included in the category of necessary cookies. These do not appear in the cookie bar that allows you to individually manage your website preferences. However, disabling all cookies may cause issues with the functionality of our website, so consider this action carefully.

Our website also utilizes the Recaptcha service, which aims to distinguish between humans and automated spam scripts and which uses cookies as well. The provider of the Recaptcha service is Google LLC.

You can prevent Google LLC from using its cookies by downloading and installing the browser extension available at https://tools.google.com/dlpage/gaoptout?hl=sk

We also provide links to relevant information about Google :

Functional cookie files help perform specific functions, such as sharing website content on social media platforms, collecting feedback, and other third-party functions.

Cookie	Duration	Description
pll_language	1 year	Polylang sets this cookie to remember the language selected by the user when they return to the website and to obtain language information when it is not otherwise available.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Performance-related cookie files are used to understand and analyze key performance indicators of the website to optimize the user experience.

Cookie	Duration	Description
_gat	1 minute	Google Universal Analytics sets this cookie to limit the request rate, thereby limiting the collection of data on high-traffic websites.

Analytical cookie files are used to understand visitor interaction with the website, providing information on criteria such as the number of visitors, exit rate, traffic source, etc.

Cookie	Duration	Description
_ga	1 year 1 month 4 hours	Google Analytics sets this cookie to calculate visitor, session, and campaign data and track website usage for the website's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	1 year 1 month 4 hours	Google Analytics sets this cookie to store and count page views.
_gid	1 day	Google Analytics sets this cookie to store information about how visitors use the website and at the same time generate an analytics report on the performance of the website. Some of the data collected includes the number of visitors, their source and the pages they visit anonymously.

Advertising cookie files are used to provide relevant ads and marketing campaigns to visitors, tracking them across various websites. These files track visitors to various websites and collect information, e.g. in order to provide personalized advertisements.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user receives the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's consent status for cookie usage for the current domain.
YSC	session	YouTube sets this cookie to track views of embedded videos on YouTube websites.
yt-remote-connected-devices	never	YouTube sets this cookie to store user preferences when using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store user preferences when using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID for storing data about which YouTube videos the user has watched.
yt.innertube::requests	never	YouTube sets this cookie to register a unique identifier for storing data about the YouTube videos the user has watched.

Others

Other uncategorized cookie files are those that do not fall into any of the above categories.

Minors

Due to the nature of our services and the importance of protecting the privacy of minors, we do not collect, process, or use information on this site related to individuals known to be under 16 years of age.

If you are under 16 and want to use our website, please obtain the consent of your legal representative to use cookies.

Embedded Plugins

In addition to cookies, our websites use links to the following social networks:

Facebook (owned by Meta Platforms Inc, Hacker Way Menlo Park, CA 94025, USA)
Instagram (owned by Meta Platforms Inc, Hacker Way Menlo Park, CA 94025, USA)
LinkedIN (owned by LinkedIN, Corp, 605 W Maude Ave, Sunnyvale, CA 94085, USA)
YouTube (owned by YouTube, LLC, 901 Cherry Ave., San Bruno CA 94066, USA)

The respective buttons display the logos of individual social networks. However, these buttons are not standard plugins provided by social networks but are only functional links. They are activated only by intentional actions (clicking).

If you do not click on the buttons, no data will be transferred to social networks. By clicking on the buttons, you accept communication with the servers of the respective social network and will be linked to them.

Note that after clicking, the button functions as a so-called sharing plugin. The social network thus receives information about the visited website, which it can share with friends and contacts. If you are not logged in, you will be redirected to the login page of the clicked social network, leaving our site. If you are already logged in on that social network, the "like" or sharing function of the respective article will be active.

Part of the information obtained may include, for example, the time of the click, your IP address, details of the browser used, or language settings. This information depends on the functionality of the respective social network and its data handling rules.

When you click on such a button, we have no control over the data collected and processing activities. We are not responsible for this data processing, as we are not the "operator" according to the definitions of data protection legislation. In this regard, we are not aware of the extent of data collection, its legal basis, purpose, and retention period, and therefore, we cannot fully describe all the necessary details – these are the responsibility of the provider of the respective social network.

Also, note that data is transmitted regardless of whether you have an account with the social network provider or whether you are logged in. If you are logged in, your data will be directly associated with your account. Social network providers may also use various cookie files.

If you do not want social networks to collect data about you, do not click on the above mentioned buttons.

Information about the purposes and scope of data collection, further processing and use of data by the respective social network, and about rights and data protection settings can be found in the information provided by these social media sites (links were functional as of the date of preparing this policy, but we do not verify them further):

Facebook: https://www.facebook.com/privacy/policy/
Instagram: https://help.instagram.com/519522125107875
LinkedIn: https://www.linkedin.com/legal/privacy-policy
YouTube: http://www.youtube.com/t/privacy_at_youtube