Summary: DNSSEC is a crucial protocol for securing the internet infrastructure, particularly in response to increasing attacks on the Domain Name System (DNS). It aims to establish trust in online data by introducing cryptographic signatures to DNS records, ensuring data authenticity and accuracy. DNSSEC deployment involves digitally signing zones and creating a chain of trust between parent and child, gradually enhancing the overall security of the system. This protocol addresses threats like cache poisoning and provides resources for understanding and implementing DNSSEC effectively.
we are seeing “a gradual morphing of motivations behind hijacking” toward more severe, economi- cally motivated attacks. (View Highlight)
The Internet technical community has responded to threats to the DNS infrastruc- ture by developing the DNS Security Exten- sions (DNSSEC) protocol standard. (View Highlight)
attacks on the Domain Name System (DNS), an engine of the Internet infrastructure, appear to be increasing in length and severity, (View Highlight)
DNSSEC introduces security at the infrastruc- ture level through a hier- archy of cryptographic signatures attached to DNS records. (View Highlight)
A process that zone operators initiate for digitally signing their own zones by employ- ing public-private key pairs; and (View Highlight)
A chain of trust between parent and child that enables the system to eventually become trustworthy. (View Highlight)
caches can pose a potential vulnerability, since an attacker may be able to tamper with them by inserting false informa- tion in the DNS records, (View Highlight)
DNSSEC is intended to detect such attacks (View Highlight)
The specification calls for four new resource record types: resource record signature (RRSIG); DNS pub- lic key (DNSKEY); delegation signer (DS); and next (View Highlight)
secure (NSEC); it also calls for new information in the packet header. (View Highlight)
The information in the header used by DNSSEC indi- cates that the response to a query passed checks on the server side. (View Highlight)
Assume for pur- poses of simplicity that both parent and child are DNSSEC-capable. In this more powerful DNSSEC sequence, the child has signed a DNSKEY record with the private part of a sec- ond key pair and stored the public key part of that second key pair in a record (the DS record). (View Highlight)
Depend- ing on local policy, a secu- rity-aware resolver may accept this response or perform additional secu- rity checks. A zone administrator who wishes to deploy DNSSEC first generates a key pair con- sisting of a public key and a private key. The public key is stored in a DNSKEY record, and the private key is stored safely. The private key is used to digitally sign the records, and the resulting digital signature is stored in an RRSIG record. (View Highlight)
The child conveys the DS record to the parent. The parent signs the child’s DS record with the private part of the parent’s key pair, placing the resulting sig- nature in an RRSIG record associated with the DS record. Any parent may itself be a child (except the root), and the process is replicated between each child/parent pair. T (View Highlight)
This sequence creates the chain of trust up to the “trust anchor,” the starting point in the chain. A DNSSEC-aware resolver validates the infor- mation it receives in response to a query by using the public keys to check the signed records. (View Highlight)
The combination of RRSIG and the child’s public key in a DNSKEY record allows validation of the source of the data (see Figure 3). (View Highlight)
the simplest DNSSEC sequence is to obtain the DNS information queried for, together with the signature associated with that information (in the RRSIG), and use the public key in the DNSKEY to perform the validation, proving the sig- nature was made by the holder of the private key. (View Highlight)
New highlights added March 22, 2024 at 5:38 PM
DNSSEC offers no protection against well- known denial-of-service attacks (View Highlight)
Some observers point out that certificates and certificate authorities have formed a secure infrastructure to support e-com- merce, raising the question: What does DNSSEC add? (View Highlight)
rtant gap, since perfect privacy would be meaningless if the user’s transaction is hijacked or diverted during transmission through, say, cache poisoning. (View Highlight)
