Domain Name System Security Extensions or DNSSEC signs DNS Record Sets (RRsets) at each DNS zone level. This allows one to verify the DNS record they are receiving has not been altered.
For example, manage.liquidweb.com has these zone levels:
- Root (.)
- com, org, net
DNS Record Set (RRsets) is a group of records with the same record type, for example all DNS A records are one RRset.
To sign each zone level, a few additional record types are introduced:
- Resource Record Signature (RRSig) – Signature of RRsets
- DNSKey – Contains public key used to verify RRSig
- Delegation Signer (DS) – References DNSKey in the child-zone and added to domain registrar
We can then use Zone-Signing and Key-Signing Keys to begin the DNS validation.
- Zone-Signing Keys (ZSK) sign each RRSet with a private key. The public key is then stored in the DNSKey record.
- Key-Signing Keys (KSK) sign the public ZSK. The public key is then stored in another DNSKey record.
DNS Validation continues with the steps below:
- Request DNS Record Set (RRSet), returns the RRSet and RRSig
- Request DNSKey for the public ZSK and KSK
- Verify RRset’s RRSig with the public ZSK
- Verify RRSig’s DNSKey (public ZSK) with the public KSK
We then need to find a way to trust the KSK. This is where the Delegation Signer (DS) record is used. This is created by hashing the DNSKey of the child-zone’s public KSK. This means when the DNSKey of the child-zone matches the DS of the parent-zone, the DNS record has not been tampered with.
Now that we have created the DS, we also need to create a trust for this! The process continues the same way as before, until we reach the root-zone since there is no parent-zone to validate against. Cloudflare outlines this process well, “In the Root Signing Ceremony, several selected individuals from around the world come together and sign the root DNSKEY RRset in a very public and highly audited way. The ceremony produces an RRSIG record that can be used to verify the root name server’s public KSK and ZSK. Instead of trusting the public KSK because of the parent’s DS record, we assume that it’s valid because we trust the security procedures around accessing the private KSK.”
By using DNSSEC in your DNS environment, you can ensure your DNS Records have not been tampered with.