Complete breakdown of DNSSEC

DNS and its security (DNSSEC) are critical topics for online businesses.

What is DNSSEC?

Domain Name System Security Extensions, or DNSSEC, is a group of security measures created to provide cryptographic authentication to DNS data. It checks and proves the integrity of DNS data so you can be sure they haven’t been altered.

Network experts commonly describe it as a chain of trust because it verifies every point in the process a DNS query follows.

How does DNSSEC work?

DNSSEC adds a necessary security layer to the DNS by including cryptographic signatures to the DNS records. Such signatures get saved in DNS name servers together with other DNS records (A, AAAA, CNAME, MX, SSHFP etc.). The digital signatures get checked to verify that the DNS records are not fake and to prevent a case, that those DNS records may be injected elements from a man-in-the-middle. If they prove they have not been changed on the way and that they really come from the corresponding authoritative name server, then the DNS records are trustable.

DNSSEC plays its game through the use of a public and a private key and specific DNS records.

DNSKEY (public key to sign), DS (delegation signer), RRSIG (digital signature), and NSEC (pointer to the next secure record).

Let’s break this down.

Grouping DNS records.

Records of the zone are grouped by type into an RRset or resource record set like SSHFP record. They will be signed in groups, not individually. When a type of record of this zone gets requested, the whole set will be verified (MX RRset, AAAA RRset, etc.).

Zone-signing keys (ZSK).

There’s a pair of keys (ZSK) to sign for every zone. The private key signs every RRset. Once all the RRsets are signed, they get saved in their name server (RRSIG records). The public key verifies the signature. This last must be accessible for resolvers to verify the signatures. It’s added within a DNSKEY record to the name server.

Verifying the public key.

The public key can be altered, and the chain of trust broken. DNSSEC prevents this with KSK or key-signing key for name servers. The KSK signs the public ZSK (saved in a DNSKEY), generates an RRSIG for that DNSKEY, and helps resolvers to validate its integrity.

Extending trust from a parent zone to a child zone.

At this point, there’s trust in the parent zone. To extend it to a child zone, DNSSEC has the DS record or delegation signer. The DNSKEY storing the public KSK must be hashed by a zone operator and published in a DS record by the parent zone. Resolvers then have access to it to validate the public KSK of the child zone they are referred to. The DS record can also be signed and verified.

DNS delegation and DNSSEC

DNSSEC (Domain Name System Security Extensions) is an extension to the DNS protocol that provides security and authentication to DNS queries. This is accomplished by DNSSEC signing the zone and by placing the validation information within the delegated subzone. It is an important part of DNS delegation, as it ensures that the transfers of data between the parent and child zones are done securely, protecting against DNS-based attacks and making sure that users are getting accurate information.

Authenticating a denial of existence.

DNS doesn’t have a way to inform a denial of existence. DNSSEC solves this through the NSEC record. It will point to the next secure record, and being a record, NSEC can be signed and its validity (trustability) verified by checking its RRSIG.


DNSSEC means security for your DNS from the top to the root!

Leave a Reply

Your email address will not be published. Required fields are marked *