What Are the Components of DNSSEC and How it Works?
Muhammad Faisal Sharif
MCT | Technology Evangelist | Active Directory | Exchange Server | VMware vSphere | Microsoft 365 | Azure Cloud Infrastructure | Entra ID | Server & SAN Storage | Veeam | Endpoint Security | 3CX IP PBX | Veeam Backup
What is it?
DNSSEC is the security extension which is used to validate DNS responses. Basically it operates on the same underlying DNS infrastructure.
Object Security - DNSSEC
Path vs Object Security Differences
Object Security (DNSSEC)
Ensures end-to-end integrity is available everywhere
Path Security (DoT, DoH)
Provides point-to-point integrity and privacy protection
Key terms you need to know
Recommended by LinkedIn
What's the process?
Each DNSSEC Zone is signed by private ZSK (Zone Signing Key) but Name Secrver also need to publish public ZSK as a DNSKEY Record.
When a resolver (a recursive DNS server) requests some resource record it will get RRSet with corresponding RRSig, so the resolver can retrieve DNZSKEY (Public ZSK) and validate that RRSig with it.
Hold on !!! It's not that simple. What if Public ZSK is compromised? Then we need another key to validate Public ZSK.
The Private KSK (Key Signing Key) signs the Public ZSK and then publishes Public KSK as DNSKEY Record so now we have two DNSKEYs
so here's the flow.
Now we have trust within the Zone but DNS is hierarchical System and we need a way to establish trust with it's parent zone.
The DS (Delegation Signer)
It's a way to build trust between parent and child zone. DNSKEY (Public KSK) is hashed and published as DS record in the parent Zone.
Chain of Trust
DS record is signed just like any other RRset, which means it has a corresponding RRSIG in the parent. The whole validation process repeats until we get to the parent’s public KSK.