If you can't reach a site from campus, but can from your mobile device when connected to your cellular service provider, The most likely culprit is a problem with the remote site's DNSSEC configuration.


What is DNSSEC?

DNSSEC (short for DNS Security Extensions) adds security to the Domain Name System.

The original design of the Domain Name System (DNS) did not include security; instead, it was designed to be a scalable distributed system. The Domain Name System Security Extensions (DNSSEC) attempts to add security while maintaining backward compatibility.

DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. It is a set of extensions to DNS, which provide to DNS clients (resolvers):

  • origin authentication of DNS data
  • data integrity (but not availability or confidentiality)
  • authenticated denial of existence.

All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect other information such as general-purpose cryptographic certificates stored in CERT records in the DNS.

Having been through difficulties in development over the years, the DNSSEC protocol has been improved up to the point that it is now widely accepted in its current incarnation. With the signing of the root zone in 2010 and the signing of the .com zone in 2011 the speed of DNSSEC adoption is expected to increase rapidly in the coming years.

ITS enforces DNSSEC while your mobile service provider and home ISP may not.


How do I solve the problem?

Contact the owners of the site and ask them to check their DNSSEC configuration as well as their upstream provider's DNSSEC configuration.


Article number: 
Last updated: 
May 20, 2019