What is DNSSEC?

DNSSEC was produced as a prevention method against DNS poisoning. Since DNS servers send and receive data using an unencrypted protocol, any hacker can look at the packets as they pass through the network, meaning that they can easily forge packets and send the DNS when a query is made to the authoritative name server.

svg viewer

DNSSEC is designed to ensure security by providing additional authoritative methods to ensure that only authentic records are appended within the DNS cache. DNSSEC adds cryptographic signatures to existing records that are stored alongside record types like A and AAAA. It checks that a hacker did not change the request and that the signature hash matches. This protects the DNS from accepting fraudulent records.

svg viewer

The DNS also adds new record types:

  • DNSKEY:contains a public signing key
  • DS:contains the hash of the DNSKEY
  • RRSIG:contains a cryptographic signature
  • CDNSKEY and CDS: for a child zone requesting to be updated to the DS cords in the parent zone

DNSKEYS can be further divided into two categories:

  • KSK: used to sign DNSKEY records in the zone
  • ZSK: used to sign all individual records within the zone

Delegation Signer Record

Here is an example of a DS record:

educative.io 350 IN 2109 13 2 hqwie2712e871382u0129lk18euy2871ey

  • educative.io stands for the domain name
  • 350 denotes the TTL
  • IN stands for Internet
  • 2109 is the ID of the Key
  • 13 is the algorithm type
  • 2 is the Digest type or hash function used to generate the digest from the public key
  • The hash of the public key

Free Resources

Copyright ©2024 Educative, Inc. All rights reserved