Wednesday, 8 March 2017

Manually performing DNSSEC validation with dig

Let's firstly obtain the DNSKEY for the root namespace '.':

dig DNSKEY @i.root-servers.net. . | grep -Ev '^($|;)' > root.keys

. 172800 IN DNSKEY 256 3 8 AwEAAYvgWbYkpeGgdPKaKTJU3Us4YSTRgy7+dzvfArIhi2tKoZ/WR1Df w883SOU6Uw7tpVRkLarN0oIMK/xbOBD1DcXnyfElBwKsz4sVVWmfyr/x +igD/UjrcJ5zEBUrUmVtHyjar7ccaVc1/3ntkhZjI1hcungAlOhPhHlk MeX+5Azx6GdX//An5OgrdyH3o/JmOPMDX1mt806JI/hf0EwAp1pBwo5e 8SrSuR1tD3sgNjr6IzCdrKSgqi92z49zcdis3EaY199WFW60DCS7ydu+ +T5Xa+GyOw1quagwf/JUC/mEpeBQYWrnpkBbpDB3sy4+P2i8iCvavehb RyVm9U0MlIc=
. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=

From the output we can see the tag number '172800', the security entry point - this is either 0, 256 (indicates ZSK / zone-signing key) or 257 (indicates it's a KSK / key signing key), the number '3' which defines the protocol field and '8' which defines the security algorithm used (RSA/SHA-256 in this case.)

The important key here is the KSK that ultimately signs the DNSSEC RRSet for the root zone.

Note: In a lab environment obtaining the DNSKEYS via dig is alright - but in production you would want to obtain these keys via a more secure method and possibly even have them built into the application itself.

Now there are two ways of verifying a record with DNSSEC - top-to-bottom (where the root domain is validated first and lastly the actual domain in question) or bottom-to-top (the domain in question is validated firstly and lastly the root domain is validated.)

dig +sigchase +trusted-key=./root.keys labs.verisigninc.com. A | cat -n

Note: Make sure your DNS server supports DNSSEC validation otherwise you'll get something like:

'Launch a query to find a RRset of type RRSIG for zone: labs.verisigninc.com.
RRSIG is missing for continue validation: FAILED'

Google public DNS servers now support DNSSEC valiation - so we can perform the query through them instead:

dig @8.8.8.8 +sigchase +trusted-key=./root.keys labs.verisigninc.com A

If successful you should see a message at the bottom the output like:

';; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS'

0 comments:

Post a comment