DNSSEC adds another layer of authentication to the Domain Name System to make the system more secure. The Domain Name System manages Internet navigation by redirecting domain names and mapping them to IP addresses.The main purpose is to resolve domain names into IP addresses and vice-versa.
Domain Name System SECurity extensions:
a. It is an extension to the DNS protocol.
b. Increases security to the Internet user.
c. Provides security on domain name resolution.
d. Works as a way of authenticity veriﬁcation.
e. Veriﬁcation occurs before other security applications (SSL, SSH, ect...)
How DNSSEC Works
DNSSEC guarantees authenticity and integrity by injecting digital signatures into theDNS hierarchy for each levels of domain names. Each level of domain will be having its own signature generating keys. Each organization along the way must sign the key of the one below it.
www.example.com is the domain name.
Step1: Here ".com" signs "example.com" 's key ..
Step2: Root signs the ".com " 's key .
DNSSEC follows this chain of trust by validating the "child keys" with the "parent keys". Every key is validated by the one above it, the only key needed to validate the whole domain name would be the top most parent or "root" key.
What is the need for this DNSSEC?
There are chances of replacing DNS data published by the registry on its path between the “server” and the “client”. For example, DNS Spoofing or Cache Poisoning. So we need a method to check "authenticity" and "integrity" of DNS data, for this we use the DNSSEC extension.
Authenticity: Can the data published by the entity be trusted- “Does this DNS response really come from the .com zone?”
Integrity: Is the data received same as that was published- “Did an attacker (e.g., a man-in-the-middle) modify the data in this response since it was signed?”
How DNSSEC is implemented.
DNSSEC provides message authentication and integrity verifcation through "Cryptographic" and "Digital signatures".
In DNSSEC, each zone has a public/private key pair.
The zone’s public key is stored in the new "DNSKEY" record.
The zone’s private key is kept safe locally.
Types of Keys:
A signed zone usually contains multiple keys:
a. One or more "key-signing keys (KSKs)" - Signs only the DNSKEY RRset
b. One or more "zone-signing keys (ZSKs)"- Signs the rest of the zone.
The chain of trust flows from parent zone to child zone.Only a zone’s parent can vouch for its keys’ identity.
Delegation Signer (DS) Records
Information about keys are recorded in a Delegation Signer (DS) stored in the parent domain or TLD. For more details please refer to the following KB entry