Domain Name System Security Extensions (DNSSEC) 5 August 2014 Show At a high level, here are the two different sides of DNSSEC:
Let’s explore each side of DNSSEC in more detail… SigningWhat is signing for DNSSEC? When you “sign” your domain, you generate cryptographic signatures in your DNS “zone file” that are used by DNSSEC-validating DNS resolvers to verify that your records match. Basically, the DNS name server that is “authoritative” for your domain publishes additional records (ex. a “RRSIG” and a “DNSKEY”) that provide this information. The process works like this:
Additionally, a “Delegation Signer (DS)” record is generated that is (somehow) provided to your registrar who provides that to your TLD registry to link your domain in to the “global chain of trust”. Note that every time a DNS record is changed (such as a website address is updated), a new DNSSEC signature must be generated for that set of records. Who performs the signing? DNSSEC signing is performed by the operator of the name servers that are “authoritative” for your domain. These name servers could be operated by:
The name servers sign the domain to create the appropriate DNSSEC records (ex. RRSIG, DNSKEY) and then re-sign the domain when records change. When is signing performed? You can start signing your domain at any time. All you need is to have the operator of your domain’s name servers to be able to perform the initial signing of the domain. Some registrars who also provide DNS hosting have made it so that when you register a domain it can start out being signed from the very beginning. Subsequent signing can be performed anytime, but should be performed on a regular basis according to the organization’s DNSSEC Practice Statement (DPS). ValidationWhat is validation of a domain? Validation is performed by “DNSSEC-validating DNS resolvers”. Validation consists of cryptographically checking DNSSEC signatures. As part of the validation, the DNS resolver also checks the “global chain of trust” from the root of DNS all the way down to the domain to ensure that the information has not been modified. (Please see our DNSSEC Basics page for more information.) Operating properly, an installed and configured DNSSEC-validating secure DNS server will:
Who performs validation? DNSSEC validation can be performed by a DNS resolver running at any point in your network, including:
Our document about where DNSSEC validation needs to occur goes into more detail about the different points where DNSSEC validation can occur and why or why not you might want DNSSEC validation to happen at that level. How can I test DNSSEC validation on my network? To test that DNSSEC validation is working on your network, you can visit:
If you go to one of the sites with a known bad signature you should fail to see the page. If you do see the page you may want to check that your system is correctly configured to use the DNS resolver that you believe should be performing DNSSEC validation. Some of the DNSSEC tools that are out there may help you with this testing. What do DNS resolvers use to verify the digital signature?Resolvers can verify the signature with a public key stored in a DNSKEY record. These RRSets for record types and owned domain names are stored within a signed DNS zone.
What type of zone should you create that contains records allowing a computer name to be resolved from its IP address?DNS zones. DNS Servers host zones which in turn host records that resolve a name to an IP address. The zone is the authoritative source for information about the domain name managed by that zone. A DNS zone is typically the same as the domain name being hosted on the DNS Server.
|