Wednesday 8 March 2017

DNSSEC: A quick introduction

DNS is a pretty old protocol - although used extensively even today. However it's major let down (from a security perspective) is that it transmits data in plain text and the receiver does not have means to validate the content - this makes it extremely easy to manipulate requests with techniques like DNS Poisoning.

DNSSEC was introduced to overcome this problem - and provides a way of validating the responses from a nameserver with help from PKI.

DNSSEC introduces a few new record types (plus a few more not mentioned here):

RRSIG: This provides a signature of the RRSet record

DNSKEY: This provides the public key portion of the ZSK

DS: This provides a summary of a child zone's DNSKEY

With DNNSEC all specific types of records for example: A, MX, SOA etc. are bundled into RRSet's (Resource Record Set) which have a corrosponding RRSIG record - which is simply a digital signature of the RRSet - this is created by the private portion of a zone-signing key pair (ZSK). In order to verify records there the public key from the ZSK is used within a DNSKEY record - the response from the DNS server is checked against the RRSIG with the help of the DNSKEY.

We also have to provide a way of validating that the zones DNSKEY is valid / not forged - this is where the DS (Delegation of Signing) key comes into play - it holds a summary of the DNSKEY in the parent zone - that is then protected by the parent zones DNSKEY.

So each parent domain you are requesting is also validated - for example if you are attempting to request the A record for '' the following RR will be validated:

As seen above - even the TLD nameservers are validated - this is part of the 'chain of trust' (we need to ensure that none of the parent zones have been compromised either.) - however the '.' / root namespace does not (obviously) have any parent - so instead it is treated as trusted - this is because of a procedure called the 'root signing ceremony' - more can be read about this here:

We can check the DS and RRSIG records using dig:

dig +dnssec

com. 172800 IN NS
com. 172800 IN NS
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20170321050000 20170308040000 61045 . CfqhL197dQg2mf0u+ak7qP/ZjEwzyn0TIjDQ3CJJpLdGmfrbuHuNynNf vnCMr8ca17ZKzBTijE0faAH41V1e64C20/kxuYfYjDlsk7ZFQXQhpE6X 5yHmbApyB1UbtSNYTSPzE9bhbcWxAlRcMSZ+R+ABINX4xRUvBUFAX8MH 20YRHBJMZlRDLznUTDGBSyrjWNzVINYF48G6a/qaN1bTzrldVFYeLCTV rAsYQ4glaUhwi+amtjnubYNNAfIyIqWu2MOhfaOCGfz6s0weD1OPKomx i0X4CV1+Nu+qDB8Ud02H0Z8OJWFqHDkU75hNwn47/09I/qQ9GvHCZWfL TZOetA==

The root nameserver does not know the A record for '' but however it can provide us with the nameservers for the .com tld.

dig +dnssec

;; AUTHORITY SECTION: 172800 IN NS 172800 IN NS 172800 IN NS 86400 IN DS 64326 8 2 02E7FEF4C3BBB0A0FA52F0F8E5774C44B243739D1AB7B3B426A417C3 88F45ACF 86400 IN RRSIG DS 8 2 86400 20170315043628 20170308042628 31697 com. xVFjovZdqjyYSf7N0yglKwSrfBKCDmQVQiMw6U94q7+3UlbyzzB95QJI TmhHJ8gvrnGfSSoj7rsRmW1xiGMWBrRCL6VQB5Go9UuEvOHnz6FFMv04 q8FNtjokD/k+nEJ70h5LHc295dxL+xQ3aKF/wWu9ZxpjwLi0MA3d20OM eoU=

;; ADDITIONAL SECTION: 172800 IN AAAA 2001:500:7967::2:33 172800 IN A 172800 IN A 172800 IN AAAA 2620:74:19::33 172800 IN AAAA 2001:502:cbe4::33 172800 IN A

Again - no luck - although this time we have the details of some nameservers and their corresponding addresses!

We'll now query the verisign nameserver:

dig +dnssec

;; ANSWER SECTION: 86400 IN A 86400 IN RRSIG A 8 3 86400 20170321010646 20170307010646 1547 aqPIS0bEw4pLOcqYqWjNM8VMNfE6UQq6n/FCW40u/1x/CMwYtkfA47ZG ZtFxXQzD0YgEZLXWHETWrl22dIZ2MetXDa4N036XxJf5ZNRe9S3Bcgp/ 2QJAze0mfCFA/XWAEfxgZAN7y6mSuOahFHEOD4gNL5Y+v5SB4OwP70qs S4A=

;; AUTHORITY SECTION: 86400 IN NS 86400 IN NS 86400 IN NS 86400 IN RRSIG NS 8 2 86400 20170321010646 20170307010646 1547 BJJIQ5HCrjtilACZdBTqheNIJr6jOJS/RpFYGrRW/qtsNCPLMg1J8sE2 0xyKflNTB6pkUE3QJxv0yQ8Qn7Q83GMmlRFmdlmvkE7dSGUxhOC20mjt yOY9kW5ozYhhquGJzTbcxLgvG1Ss2jGokoJxf+eoaw0NUSR5M44Q8gda 2KY=

Now is an authoritative name server and knows the address of along with its RRSIG record.



Post a Comment