What is DNSSEC?

Posted on May 15, 2018 by Kevin Murphy

Category: Hosting Basics | Tags: DNS, Security, Zone

Reading Time: 2 minutes

Domain Name System Security Extensions or DNSSEC signs DNS Record Sets (RRsets) at each DNS zone level. This allows one to verify the DNS record they are receiving has not been altered.

For example, manage.liquidweb.com has these zone levels:

Root (.)
com, org, net
liquidweb
Manage

DNS Record Set (RRsets) is a group of records with the same record type, for example all DNS A records are one RRset.

To sign each zone level, a few additional record types are introduced:

Resource Record Signature (RRSig) – Signature of RRsets
DNSKey – Contains public key used to verify RRSig
Delegation Signer (DS) – References DNSKey in the child-zone and added to domain registrar

We can then use Zone-Signing and Key-Signing Keys to begin the DNS validation.

Zone-Signing Keys (ZSK) sign each RRSet with a private key. The public key is then stored in the DNSKey record.
Key-Signing Keys (KSK) sign the public ZSK. The public key is then stored in another DNSKey record.

DNS Validation continues with the steps below:

Request DNS Record Set (RRSet), returns the RRSet and RRSig
Request DNSKey for the public ZSK and KSK
Verify RRset’s RRSig with the public ZSK
Verify RRSig’s DNSKey (public ZSK) with the public KSK

We then need to find a way to trust the KSK. This is where the Delegation Signer (DS) record is used. This is created by hashing the DNSKey of the child-zone’s public KSK. This means when the DNSKey of the child-zone matches the DS of the parent-zone, the DNS record has not been tampered with.

Now that we have created the DS, we also need to create a trust for this! The process continues the same way as before, until we reach the root-zone since there is no parent-zone to validate against. Cloudflare outlines this process well, “In the Root Signing Ceremony, several selected individuals from around the world come together and sign the root DNSKEY RRset in a very public and highly audited way. The ceremony produces an RRSIG record that can be used to verify the root name server’s public KSK and ZSK. Instead of trusting the public KSK because of the parent’s DS record, we assume that it’s valid because we trust the security procedures around accessing the private KSK.”

By using DNSSEC in your DNS environment, you can ensure your DNS Records have not been tampered with.

About the Author: Kevin Murphy

Kevin formerly worked for Liquid Web as a Helpful Human supporting our Windows Enterprise team. He has been working in IT professionally since 2012. While he has supported Windows infrastructure his entire career, he also has an in-depth knowledge of Linux. In his free time, he enjoys reading, video games, and watching NHL and Formula 1.