DNSSEC adds the security to DNS that it desperately needs. It is a chain of trust that guarantees that the data (DNS records) were not modified on the way and that they come from the right source.
What is DNSSEC?
DNSSEC is a set of security measures that protect DNS data by providing cryptographic authentication, authenticated denial of existence, and data integrity.
DNSSEC basically proves that the data came from the right source, stops data that can’t prove the right source, and data that was modified on the way.
Using DNSSEC, you will generate digital signatures, which will be saved inside the DNS zone as DNS resource records. They are called RRSIG records. When a DNS recursive server asks about the domain name, the RRSIG will be provided in response. After that, the DNS recursive server needs to verify the signature (RRSIG) by using a public cryptographic key named DNSKEY. It gets it and validates the RRSIG.
Resource records are grouped in so-called RRsets. If a users request an A record, for example, he or she will get all of the A records in an RRset.
Signing a DNS zone with DNSSEC means that you are signing all the records inside it. After that, you can edit, remove or add records inside it without the need to re-sign the whole zone. You will need to re-sign only the new records.
For that purpose, you have ZSK (zone-signing keys). The private key signs the RRsets, and the public verifies the signature. The public key is added as a DNSKEY record in the zone so the resolver can use it.
Apart from signing the zone, DNSSEC has another mechanism to sign the keys too. It uses KSK (key signing keys). The KSK will validate the DNSKEY in the same way as the DNSKEY validates the RRsets. There is a private KSK to sign the public KSK and a pulic KSK to validate.
How DNSSEC works?
- The first request will be for the RRset (particular DNS record type).
- The server will return the RRset, together with the RRSIG record.
- Then the subsequent request will be for DNSKEY with the public ZSK and public KSK to open the RRset.
- The following answer will be the DNSKEY RRset.
- Then verifying the RRset with the public ZSK.
- And after that, verify DNSKEYset with the public KSK.
DNSSEC also uses the so-called DS record (delegation signer). It transfers trust from a parent to a child zone. The DS record has the public KSK, and it is put inside the parent zone. The resolver checks both KSK from the parent and child zone, and if they match, it is trustworthy.
Authenticated denial of existence
The DNS needs to answer, even if it didn’t find a record. The response, just like the positive ones, also needs to be validated and authenticated. Since it does not return an RRSIG record, it has another mechanism to return an answer. It is the NSEC record (Next secure record). The NSEC records are a chain of links that are created between signed records. Each NSEC points to the next NSEC and the last to the first record.