I have a separate post on DNS and if you are new to DNS first read that post before DNS Security Extension (DNSSEC).
So We know that DNS resolver makes DNS queries for us but this resolver does not ask any questions regarding the validity of the DNS query it is fetching for you.
Any malicious attacker can create a false DNS entry in the primary stages of DNS lookup and will direct you to a malicious IP address instead.
DNSSEC tackles this issue by providing a way to authenticate DNS response data.
When a visitor enters the domain name in a browser, the resolver verifies the digital signature.
If the digital signatures in the data match those that are stored in the master DNS servers, then the data is allowed to access the client computer making the request.
The DNSSEC digital signature ensures that you’re communicating with the site or Internet location you intended to visit.
DNSSEC uses a system of public keys and digital signatures to verify data. It simply adds new records to DNS alongside existing records. These new record types, such as RRSIG and DNSKEY, can be retrieved in the same way as common records such as A, CNAME, and MX.
These new records are used to digitally “sign” a domain, using a method known as public-key cryptography.
A signed nameserver has a public and private key for each zone. When someone makes a request, it sends information signed with its private key; the recipient then unlocks it with the public key. If a third party tries to send untrustworthy information, it won’t unlock properly with the public key, so the recipient will know the information is bogus.
Note that DNSSEC does not provide data confidentiality because it does not include encryption algorithms. It only carries the keys required to authenticate DNS data as genuine or genuinely not available.
Also, DNSSEC does not protect against DDoS Attacks.
There are two types of keys that are used by DNSSEC:
- The zone signing key (ZSK) – is used to sign and validate the individual record sets within the zone.
- The key signing key (KSK) – is used to sign the DNSKEY records in the zone.
Both of these keys are stored as “DNSKEY” records in the zone file.
Know since we have a basic understanding of DNSSEC we will try to emulate it in a lab environment.