Call Today

Marketing Articles

How does DNSSEC work?

The domain name system (DNS) is the phone book of the Internet: it tells computers where to send and retrieve information. Unfortunately, it also accepts any address given to it, no questions asked.

Email servers use DNS to route their messages, which means they’re vulnerable to security issues in the DNS infrastructure. In September 2014 researchers at CMU found email supposed to be sent through Yahoo!, Hotmail, and Gmail servers routing instead through rogue mail servers. Attackers were exploiting a decades-old vulnerability in the Domain Name System (DNS)—it doesn’t check for credentials before accepting an answer.

DNSSec IconThe solution is a protocol called DNSSEC; it adds a layer of trust on top of DNS by providing authentication. When a DNS resolver is looking for, the .com name servers help the resolver verify the records returned for cloudflare, and cloudflare helps verify the records returned for blog. The root DNS name servers help verify .com, and information published by the root is vetted by a thorough security procedure, including the Root Signing Ceremony.

A Gentle Introduction to DNSSEC

DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types like A, AAAA, MX, CNAME, etc. By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and wasn’t altered en-route, opposed to a fake record injected in a man-in-the-middle attack.

To facilitate signature validation, DNSSEC adds a few new DNS record types:

  • RRSIG – Contains a cryptographic signature
  • DNSKEY – Contains a public signing key
  • DS – Contains the hash of a DNSKEY record
  • NSEC and NSEC3 – For explicit denial-of-existence of a DNS record
  • CDNSKEY and CDS – For a child zone requesting updates to DS record(s) in the parent zone.

The interaction between RRSIG, DNSKEY, and DS records, as well as how they add a layer of trust on top of DNS, is what we’ll be talking about in this article.


The first step towards securing a zone with DNSSEC is to group all the records with the same type into a resource record set (RRset). For example, if you have three AAAA records in your zone on the same label (i.e., they would all be bundled into a single AAAA RRset.

diagram rrsetsIt’s actually this full RRset that gets digitally signed, opposed to individual DNS records. Of course, this also means that you must request and validate all of the AAAA records from a zone with the same label instead of validating only one of them.

Zone-Signing Keys

Each zone in DNSSEC has a zone-signing key pair (ZSK): the private portion of the key digitally signs each RRset in the zone, while the public portion verifies the signature. To enable DNSSEC, a zone operator creates digital signatures for each RRset using the private ZSK and stores them in their name server as RRSIG records. This is like saying, “These are my DNS records, they come from my server, and they should look like this.”

diagram zone signing keys 1However, these RRSIG records are useless unless DNS resolvers have a way of verifying the signatures. The zone operator also needs to make their public ZSK available by adding it to their name server in a DNSKEY record.

When a DNSSEC resolver requests a particular record type (e.g., AAAA), the name server also returns the corresponding RRSIG. The resolver can then pull the DNSKEY record containing the public ZSK from the name server. Together, the RRset, RRSIG, and public ZSK can validate the response.

diagram zone signing keys 2If we trust the zone-signing key in the DNSKEY record, we can trust all the records in the zone. But, what if the zone-signing key was compromised? We need a way to validate the public ZSK.

Key-Signing Keys

In addition to a zone-signing key, DNSSEC name servers also have a key-signing key (KSK). The KSK validates the DNSKEY record in exactly the same way as our ZSK secured the rest of our RRsets in the previous section: It signs the public ZSK (which is stored in a DNSKEY record), creating an RRSIG for the DNSKEY.

diagram key signing keys 1Just like the public ZSK, the name server publishes the public KSK in another DNSKEY record, which gives us the DNSKEY RRset shown above. Both the public KSK and public ZSK are signed by the private KSK. Resolvers can then use the public KSK to validate the public ZSK.

Validation for resolvers now looks like this:

  • Request the desired RRset, which also returns the corresponding RRSIG record.
  • Request the DNSKEY records containing the public ZSK and public KSK, which also returns the RRSIG for the DNSKEY RRset.
  • Verify the RRSIG of the requested RRset with the public ZSK.
  • Verify the RRSIG of the DNSKEY RRset with the public KSK.

diagram key signing keys 2Of course, the DNSKEY RRset and corresponding RRSIG records can be cached, so the DNS name servers aren’t constantly being bombarded with unnecessary requests.

Why do we use separate zone-signing keys and key-signing keys? As we’ll discuss in the next section, it’s difficult to swap out an old or compromised KSK. Changing the ZSK, on the other hand, is much easier. This allows us to use a smaller ZSK without compromising the security of the server, minimizing the amount of data that the server has to send with each response.

We’ve now established trust within our zone, but DNS is a hierarchical system, and zones rarely operate independently. Complicating things further, the key-signing key is signed by itself, which doesn’t provide any additional trust. We need a way to connect the trust in our zone with its parent zone.

Delegation Signer Records

DNSSEC introduces a delegation signer (DS) record to allow the transfer of trust from a parent zone to a child zone. A zone operator hashes the DNSKEY record containing the public KSK and gives it to the parent zone to publish as a DS record.

diagram delegation signer recordsEvery time a resolver is referred to a child zone, the parent zone also provides a DS record. This DS record is how resolvers know that the child zone is DNSSEC-enabled. To check the validity of the child zone’s public KSK, the resolver hashes it and compares it to the DS record from the parent. If they match, the resolver can assume that the public KSK hasn’t been tampered with, which means it can trust all of the records in the child zone. This is how a chain of trust is established in DNSSEC.

Note that any change in the KSK also requires a change in the parent zone’s DS record. Changing the DS record is a multi-step process that can end up breaking the zone if it’s performed incorrectly. First, the parent needs to add the new DS record, then they need to wait until the TTL for the original DS record to expire before removing it. This is why it’s much easier to swap out zone-signing keys than key-signing keys.

Explicit Denial of Existence

If you ask DNS for the IP address of a domain that doesn’t exist, it returns an empty answer—there’s no way to explicitly say, “sorry, the zone you requested doesn’t exist.” This is a problem if you want to authenticate the response, since there’s no message to sign. DNSSEC fixes this by adding the NSEC and NSEC3 record types. They both allow for an authenticated denial of existence.

NSEC works by returning the “next secure” record. For example, consider a name server that defines AAAA records for api, blog, and www. If you request a record for store, it would return an NSEC record containing www, meaning there’s no AAAA records between store and www when the records are sorted alphabetically. This effectively tells you that store doesn’t exist. And, since the NSEC record is signed, you can validate its corresponding RRSIG just like any RRset.

Unfortunately, this solution allows anybody to walk through the zone and gather every single record without knowing which ones they’re looking for. This can be a potential security threat if the zone administrator was counting on the contents of the zone being private. You can read more about this problem in DNSSEC: Complexities and Considerations, as well as Cloudflare’s unique solution in DNSSEC Done Right.

The Chain of Trust

Ok, so we have a way to establish trust within a zone and connect it to its parent zone, but how do we trust the DS record? Well, the DS record is signed just like any other RRset, which means it has a corresponding RRSIG in the parent. The whole validation process repeats until we get to the parent’s public KSK. To verify that, we need to go to that parent’s DS record, and on and on we go up the chain of trust.

diagram the chain of trustHowever, when we finally get to the root DNS zone, we have a problem: there’s no parent DS record to validate against. This is where we get to see a very human side of the global Internet.

In the Root Signing Ceremony, several selected individuals from around the world come together and sign the root DNSKEY RRset in a very public and highly audited way. The ceremony produces an RRSIG record that can be used to verify the root name server’s public KSK and ZSK. Instead of trusting the public KSK because of the parent’s DS record, we assume that it’s valid because we trust the security procedures around accessing the private KSK.

The ability to establish trust between parent and child zones is an integral part of DNSSEC. If any part of the chain is broken, we can’t trust the records we’re requesting because a man-in-the-middle could alter the records and direct us to any IP address they want.

What is the difference between a registry, registrar and registrant?

There are three different roles that participate in the domain name registration process: The registry, registrar, and registrant. The following information breaks down each role and how they work with one another:

Registry: A domain name registry is an organization that manages top-level domain names. They create domain name extensions, set the rules for that domain name, and work with registrars to sell domain names to the public. For example, VeriSign manages the registration of .com domain names and their domain name system (DNS). To learn more about DNS, see What is DNS?

Registrar: The registrar is an accredited organization, like GoDaddy, that sells domain names to the public. Some have the ability to sell top-level domain names (TLDs) like .com, .net, and .org or country-code top-level domain names (ccTLDs) such as .us, .ca, and .eu.

Registrant: A registrant is the person or company who registers a domain name. Registrants can manage their domain name’s settings through their registrar. When changes are made to the domain, their registrar will send the information to the registry to be updated and saved in the registry’s database. When you register a domain name, you become a registrant!

Why Should I Hire A Marketing Agency For My Small Business?

Getting those customers is one of the biggest challenges that businesses face on a day to day basis. ALL businesses need to have an effective marketing plan to survive and grow. For many companies, however, this is a business truth that is easy to put on the back burner or settle for just throwing darts at a dartboard and hoping you hit something.


Nobody is going to walk into your office and ask for whatever it is that you are selling unless they know who you are, what you do, and they have confidence that you can deliver on your promises. More importantly, your prospects want to know why your product or service is of benefit to them, and how you are differentiated from your competitors.

To get those facts communicated your company needs an effective, well thought out and executed a marketing plan. Most companies understand the need for a strategic marketing plan, but few understand what it is or how to implement one. Marketing is not the same thing as hiring a sales team; it is much more involved than that. In a nutshell, your company’s marketing plan is about generating leads that can then be turned into sales.

Elements of a Modern Marketing Strategy

The rise of the internet, indexed search (think Google) and the explosion of social media networks have changed the way that companies communicate their value proposition (the promise of value that will be delivered by your company and experienced by your customer).

Where once, legacy tactics such as yellow page advertisements or print ads drove traffic to your front door, modern consumers armed with mobile technology expect real-time access to information and make buying decisions in a matter of a few keystrokes on their devices.

This means that companies need to ensure that their branding messages are well executed, easily found on the web by sites that attract attention and convert eyeballs into leads.

Below is a list of items that make up a “modern marketing strategy”:

  • Collateral development and production
  • Content development specialists
  • Email programs
  • E-newsletters
  • Graphic artists
  • Market research
  • Marketing software
  • Metrics/data analysts
  • Mobile marketing specialists
  • PPC
  • Printing
  • PR specialists
  • SEO/keyword research
  • Social media specialists
  • Special events
  • Sponsorship
  • Website development/re-engineering

While this is a very thorough list, it should also be seen as incomplete, because as we speak new technologies, apps and disciplines are being created which makes keeping up a challenge. This rapid change in new technologies is what makes marketing in the 21st century such a challenge for small businesses.

Now that we know the elements, let’s shift gears and evaluate your options on how to execute your strategy.

Can and Should I Do This Myself?

Many entrepreneurs are ingrained with the DIY (Do-It-Yourself) ethic which refers to the ethic of self-sufficiency through completing tasks without the aid of paid specialists. As an entrepreneur that has suffered from this particular affliction, I can certainly attest to the fact an individual can, with enough time and gumption seek out the knowledge required to complete any given task.

The challenge with this mode of operation is the many different creative elements, such as writing, graphic design, computer programming that are needed to successfully carry out a modern marketing strategy. The learning curve for a busy entrepreneur with little experience is staggering, leaving the business owner with either a vastly incomplete marketing strategy missing key elements, such as blogging, social media marketing or a site filled with ugly graphics or both.

Conversely, if the owner devotes the time to learn all of these marketing elements, you have a tapped out business owner focusing all time and attention on a steep learning curve in the creative arts. For all but the smallest businesses lacking the marketing budget to hire or outsource, DIY is an unfeasible strategy. If DIY is not the right approach, then what other options are available?

Should I Hire an Employee or a Marketing Agency?

Organizations that have neither the time nor inclination to DIY are left with a choice; either hire an employee or hire an outside agency. In many instances, business owners lean towards hiring an employee because that has been the de-facto process in the past to solve an immediate need. Additionally, business owners may have the perception that an outside agency is far more expensive than hiring in-house staff. The problem with this rationale is that most of the time, owners don’t have a true basis for comparison.

Smaller businesses can have much lower costs than shown below.

marketing cost charts

How much do you think it would cost to hire a qualified marketing employee vs. hiring a marketing agency?

Most business owners don’t have a true basis for comparison and typically use a rudimentary methodology for decision making. In many cases, business owners might use a base salary versus an hourly quote for a marketing agency and thus conclude that since the hourly rate is higher it, therefore, must be the more expensive option. This is a big mistake.

Many owners fail to take into account the true costs associated with hiring and retaining an employee. As the chart below shows, not only do you have to account for base salary, but adding in fixed expenses such federal, state and/or local taxes as well as health insurance contributions, retirement plan matches, vacation, sick days, etc., and the true cost can be as much as 1.25 to 1.4 times the base salary. Add in additional expenses such as the cost of recruiting and training and the total starts to escalate quickly.

Let’s take a closer look and see what really happens when you compare the two. Disclosures: We used the job position of Marketing Manager for the comparison. Many marketing professionals specialize in one area of marketing, like a social media marketing manager, and may not have the experience that a marketing manager could have. All the salary data is based on the National Average salary for a Marketing Manager in the USA and was taken from There are also many elements to marketing, so we chose the inbound marketing process which encompasses many of the items listed above.

While the numbers are averages and should be adjusted based on your needs, location of a business, etc. The table should give you a better understanding of the approximate costs of hiring each one.

In addition to costs in hiring the right employee, the effective execution of many marketing tasks requires extensive software applications which require lots of money……..lots of it in the form of upfront purchases and annual subscriptions of graphics programs, PPC management apps, business metrics software and a whole host of other requirements.

In addition to the pure cost factor of hiring an employee, there is one additional factor that needs to be considered. It would be exceptionally difficult to find one person that possesses each of the skills required to execute your strategy. This would most likely require your new marketing hire to outsource at least some of these tasks to outside agencies, which really blows this comparison out of the water.

As you can see after taking these factors into consideration, hiring marketing staff is no bargain.

Benefits of Working with a Marketing Agency

Although you may perceive that you are saving money on an hourly basis relative to hiring an employee or doing it yourself, hiring a marketing agency, particularly one focused on inbound marketing tactics provides substantial value. Long gone are the “Mad Men” days of nebulous budgets with hidden fees.

The pricing dynamic has shifted and many firms are now working on clearly spelled out pricing structures, and lower-fee marketing retainer agreements.

Smaller businesses can have much lower costs working with an agency.

While there is no industry standard, the going rate in most markets for an experienced inbound agency starts in the $3,000 to $5,000 range in terms of monthly spend. While that may seem like a large number, in comparison to the opportunity cost of DIY, or the pure allocation of funds towards building the internal staff, this is a relative bargain.

Among the many benefits of working with an experienced marketing firm are:

  • Expertise with your market niche
  • Experience in executing marketing plans
  • Money savings by hiring to your specific needs
  • No employee training required
  • Your marketing plan is executed immediately, the employee may need time to ramp up while the marketing firm is ready from the get-go
  • Avoid HR nightmares
  • No additional overhead
  • Tax deductions, not tax liability
  • Efficiency for short-term and urgent projects

This new paradigm allows business owners to focus on running operations and increasing the bottom line, not messing around with Facebook, Twitter or trying to build out a website.

The big question then isn’t can I afford an experienced marketing agency, but rather how much am I costing myself in time, money and lost opportunity by trying to do this in-house.


Generating Quality Business Leads

More than fifteen years ago, Lynn Hudson quit her nursing job to start her own business called Melody Music Studios LLC. The studio teaches piano and voice lessons in the town of Cary, NC. Shortly after opening her doors, Lynn realized that she needed a way to market her new business and generate more clients. Nothing happens very fast when you start a new business, especially marketing and new leads.

Over the next six months, Lynn considered Yellow Book marketing, website costs, and e-mailing marketing. Yellow Book was very expensive and the ad would not show up until seven months later. Website costs were less expensive but Lynn did not have the capital to start that project. Lynn looked into the SBA, but sadly they did absolutely nothing to help her.  Lynn ended up marketing her new business with business fliers, talking to as many people as possible and word of mouth.

Then, she found ACS Web Marketing online and contracted with them. In a short amount of time, Melody Music Studios was up to 25 students and rolling. The website and lead generating software offered by ACS Web Marketing became the weapon of choice when generating new business. For every new customer who signed up, the business costs were pennies on the dollar. This unique approach was not only cost effective but hit the nail on the head.

Today, Melody Music Studios LLC can be easily found on Google, Yahoo and Bing search engines including keywords such as piano lessons and voice lessons. If you are a new business, spend your time doing the following:

  1. Define your business online web name.
  2. Get an unbiased quote of the costs to start a business website and not a personal website. Do-it-yourself websites are not VALID sources for true website development. Unless you’re an expert in SEO, stay clear of them if you want to succeed.
  3. Work with your webmaster to set up the right strategy and marketing. Make sure he or she is local and can meet with you one on one. Do not be deceived by cheap prices on the internet. Have enough capital saved to get your company up and running.
  4. Research your competition to find out what they are doing to get to page one.

ACS Web Marketing serves the Raleigh and all NC areas and more…

Call today 919-302-8457 for a Free No Cost Quotation  


ORGANIC SEO vs. PPC or Pay per Click

The 64 thousand dollar question. Your long-term web marketing strategy should always include search engine optimization. The major advantage of SEO is that statistically it brings you better quality traffic leads. In fact, many users have subconsciously trained themselves to ignore “paid results” entirely when browsing the web or searching on Google.

There are mountains of data that suggest “Natural Search” visitors to your website are far more likely to trust you, your business, and your products & services. Ranking highly in Google for a keyword or phrase is a clear sign that you are a credible source and that you are an important player in your industry.

But do NOT fool yourself into thinking that SEO is free. No matter how you look at it, SEO comes at a cost. Whether it’s your own time or hiring an outside vendor to manage your SEO strategy, SEO does come with a cost.

Pay Per Click can range from $50 dollars a month to Thousands of dollars a month. After you have established your core SEO and are showing up on page one for your keywords or a long string, now would be the time to engage PPC on a limited basis. Look for a 3% return on your investment.

For every $100 dollar, you spend on PPC look to get about a $3.00 return ROI. You may do better with a service than a e-commerce but you should be the judge of that and not a company… Remember you are investing in your company. Make every dollar count.

ACS Web Marketing LLC 919-302-8457