Recap: ICANN Hands-on Workshop: DNS Security and DNSSEC

On Friday, October 31, a free one-day hands-on workshop on DNS security and DNSSEC (Domain Name System Security Extension) took place at Tallink Hotel Latvija, organized by CERT.LV, NIC, and ICANN (Internet Corporation for Assigned Names and Numbers).

The event brought together IT specialists, system administrators, and other technology professionals to gain in-depth, practical knowledge about DNS-related risks, DNSSEC implementation, and strengthening domain name security.

During the workshop, participants learned how to implement DNSSEC, sign zones, manage encryption keys, build a chain of trust, and validate DNSSEC on recursive servers. The day combined theory and practice, helping participants better understand DNS security principles and their role in maintaining a safe and reliable Internet infrastructure.

A special thank you to Ulrich Wisser, ICANN’s Technical Engagement Manager for Europe, for his high-quality content, practical insights, and knowledge sharing!

We also thank all participants for their engagement, questions, and contributions to an important discussion on DNS security in Latvia.

Why DNS Security Matters

In today’s digital world, a company’s reputation and customer trust start with a secure domain name and a reliable email system. To protect your brand online and prevent fraud, it’s essential to implement two key mechanisms — email authentication and DNSSEC.

1. Email Authentication: Protect Your Identity

Email remains one of the most common tools exploited by cybercriminals. Through fake or spoofed emails, attackers can steal sensitive information, deceive clients, or damage a company’s reputation.

Three main technical protection mechanisms:

• SPF (Sender Policy Framework) – specifies which servers are authorized to send emails from your domain name.
  
• DKIM (DomainKeys Identified Mail) – ensures that emails haven’t been altered in transit.
  
• DMARC (Domain-based Message Authentication, Reporting & Conformance) – combines SPF and DKIM and instructs receiving servers on how to handle unauthenticated emails.
  

By implementing these three steps, organizations can significantly reduce email spoofing risks, protect their customers, and improve their domain’s name email reputation.

2. DNSSEC: Protection Against Fake Websites

Your customers trust that, when they type in your company’s web address, they’ll reach your authentic website — not a fraudulent copy.
DNSSEC (Domain Name System Security Extensions)** protects your domain name by ensuring visitors actually reach your legitimate site. DNSSEC adds digital signatures to DNS records, preventing them from being silently modified. This protects against:

• DNS spoofin – where attackers alter DNS records to redirect visitors to fake sites;
  
• Cache poisoning – where malicious data is stored in DNS caches, making redirections persistent and difficult to detect.
  

DNSSEC complements other security mechanisms (such as SSL/TLS) by strengthening the integrity of the domain name system itself.

Learn more: https://www.nic.lv/en/dnssec-en