To understand DNSSEC, it is important to first be familiar with the basic operation of the DNS system.
The primary function of DNS is to translate domain names (such as example.uk) into numerical Internet addresses (such as 91.227.139.235).
While this numerical addressing system is very efficient for computers to process and read data, it is difficult for humans to remember.
Imagine having to enter the IP address of a website every time you wanted to visit it. For this reason, DNS is often referred to as the phone book of the Internet.
To solve this problem, each domain name is associated with a numerical IP address.
The website addresses we commonly use are essentially domain names.
Information related to domain names is stored on specialised servers. These servers are known as Domain Name Servers (DNS servers), and they translate domain names into IP addresses and vice versa.
At the highest level of the DNS hierarchy is the root zone, where all domain names and IP addresses are stored in databases organised by Top-Level Domains (TLDs) such as .com, .net, .org, and others.
When DNS was first introduced, it lacked security and proper oversight. Over time, several potential security vulnerabilities became apparent. As a result, an additional security framework was developed that could be integrated with the existing DNS protocols.
The Internet Engineering Task Force introduced the DNS Security Extensions (DNSSEC), which is a set of protocols designed to add a security layer to DNS queries and the data exchange processes required to access websites.
How DNSSEC Works
The original purpose of DNSSEC was to protect against forged or manipulated DNS data. This is achieved through digitally signed DNS records.
When a visitor enters a domain name into their browser, the DNS resolver verifies the digital signature associated with the DNS data.
If the digital signature matches the data stored on the authoritative DNS server, the requested information is returned to the client device.
If the signature cannot be validated, the response is rejected, preventing potentially malicious or altered DNS information from being used.
The DNSSEC digital signature ensures that the user is communicating with the website they intended to reach.
DNSSEC uses a system of public keys and digital signatures to authenticate DNS data. It does this by adding additional record types to the existing DNS records. These new records—such as RRSIG and DNSKEY—can be queried in the same way as standard DNS records like A, CNAME, or MX records.
These additional records digitally sign the domain using a method known as public key cryptography.
Each signed DNS zone contains both a public key and a private key. When a DNS query is made, the server responds with information signed using its private key. The receiving resolver then validates the signature using the corresponding public key.
If a third party attempts to send unauthorised or malicious data, the signature validation will fail because the information cannot be correctly verified using the public key. This allows the receiving system to detect that the data has been tampered with.
Keys Used by DNSSEC
DNSSEC relies on two different types of cryptographic keys:
Zone Signing Key (ZSK)
Used to sign and authenticate the individual DNS records within a zone.
Key Signing Key (KSK)
Used to sign the DNSKEY record within the zone.
Both keys are stored in the zone file as DNSKEY records.
Viewing a DS Record
The DS record stands for Delegation Signer. This record contains a unique string derived from the public key, as well as metadata describing the key, such as the algorithm used.
Each DS record consists of four parts: KeyTag, Algorithm, DigestType, and Digest.
Example:
example.uk. 3600 IN DS 2371 13 2 18e02779e597bf3662db339464ea2614c3607d7127bc7684f56f31dfab038e96
The different elements of the record contain the following information:
- example.uk – The domain name associated with the DS record.
- 3600 – The TTL (Time To Live), which defines how long the record may remain cached.
- IN – Indicates the Internet class.
- 2371 – KeyTag, the identifier of the DNSSEC key.
- 13 – The algorithm type used for the signature. Each approved DNSSEC algorithm has its own numeric identifier.
- 2 – The DigestType, which specifies the hash function used to generate the digest from the public key.
- Digest – The long string at the end of the record is the hash of the public key.
All DS records must comply with Internet Engineering Task Force specification RFC 3658.