What is DNSSEC?
Vulnerabilities in the Domain Name System (DNS) were discovered that allows an attacker to hijack the DNS resolution process. This kind of attack may have different purposes, one of which is to send users to a deceptive website for sensitive passwords or even banking information collection. DNS Security Extensions (DNSSEC) was introduced to protect the Internet from these kinds of attacks using public-key cryptography. DNSSEC is an extension to DNS which works by signing the DNS zone with a series of zone signing keys and key signing keys and providing the end resolvers a mechanism to authenticate and verify the integrity of DNS responses to queries.
How does DNSSEC work?
All components of the DNS resolving system must be DNSSEC capable in order for DNSSEC to work. These elements include:
- The Top Level Domain (TLD) such as ".com", ".org" must be DNSSEC signed or compatible. Note that not all domain extensions support DNSSEC.
- Your DNS service provider needs to be DNSSEC compatible and sign the Second Level Domain (SLD) such as “example” in example.com.
- The end user’s DNS resolver needs to support DNSSEC.
How does DNS resolution work with DNSSEC?
All the records with the same type are grouped into an RRset and this full RRset get digitally signed instead of individual DNS records. For example, if you have three TXT records for the same hostname relay.domain.com in the domain.com zone, the three TXT records will be bundled into a single TXT RRset. This is the first step towards securing a zone with DNSSEC.
Each zone with DNSSEC enabled has a zone-signing key pair (ZSK): the private key and the public key. The private ZSK is used to create digital signatures for each RRset and the digital signatures are stored in the name server as RRSIG records. When a DNSSEC resolver requests a particular record type (e.g., TXT), apart from returning the TXT record itself, the name server also returns the corresponding RRSIG. The public ZSK is published as a DNSKEY record so that the resolver can then pull the DNSKEY record containing the public ZSK from the name server to verify against the RRSIG signature. The RRset, RRSIG, and public ZSK together can validate the response.
The key-signing key is used to prevent the situation where the zone-signing key is compromised. The KSK validates the ZSK DNSKEY record in exactly the same way as the ZSK secure the RRSets. It signs the public ZSK (which is stored in a DNSKEY record), creating an RRSIG for the DNSKEY record. The public KSK is published in another DNSKEY record which can be used by resolvers to verify against the RRSIG.
Validation for resolver works this way:
1. It makes a request for a particular resource record and obtains the corresponding RRSIG record.
2. It then requests the DNSKEY records containing the public ZSK and public KSK, which also returns the RRSIG for the DNSKEY RRset.
3. It verifies the RRSIG of the requested RRset with the public ZSK.
4. It verifies the RRSIG of the DNSKEY RRset with the public KSK.
Is DNSSEC backward compatible?
Yes. DNSSEC is backward compatible. DNS functions normally with non-DNSSEC resolvers and users can still reach your website and DNS zone, only without the protection of DNSSEC.
What do I need to know about DNSSEC as a domain owner?
DNSSEC and its deployment are fairly complicated, which has been the main hurdle for its adoption. As an end user, you do not need to understand all the terms such as RRSIG, DS, DNSKey, Zone-Signing Keys, Key-Signing Keys, Explicit Denial of Existence etc. However, if you are interested, you can read about it. The most important thing for a domain owner is to find a DNS service provider that supports DNSSEC and enable DNSSEC to protect your domain name.
You can first enable DNSSEC with your DNS service provider who will sign your DNS zone with the public/private keys and provide you with a DS record to set up at your domain name registrar that signs the TLD.