DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records
By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and wasn’t altered en-route, opposed to a fake record injected in a man-in-the-middle attack.
To facilitate signature validation, DNSSEC adds a few new DNS record types:
- RRSIG - Contains a cryptographic signature. uses Zone Signing Keys
- DNSKEY - Contains a public signing key Zone Signing Keys public key
- DS - Contains the hash of a DNSKEY record
- NSEC and NSEC3 - For explicit denial-of-existence of a DNS record
- CDNSKEY and CDS - For a child zone requesting updates to DS record(s) in the parent zone.
When a DNSSEC resolver requests a particular record type (e.g., AAAA), the name server also returns the corresponding RRSIG. The resolver can then pull the DNSKEY record containing the public Zone Signing Keys from the name server. Together, the RRSets, RRSIG, and public ZSK can validate the response.
Validation for resolvers now looks like this:
- Request the desired RRSets, which also returns the corresponding RRSIG record.
- Request the DNSKEY records containing the public ZSK and public DNSSEC Key-Signing Keys, which also returns the RRSIG for the DNSKEY RRSets.
- Verify the RRSIG of the requested RRSets with the public ZSK.
- Verify the RRSIG of the DNSKEY RRSets with the public KSK.