DNSSEC (Domain Name System Security Extensions)
- Extension to DNS that provides authentication and data integrity to DNS responses
- Solves the fundamental problem that standard DNS has no built-in security - anyone can spoof DNS responses
- Uses digital signatures to verify that DNS data came from the authoritative source and hasn’t been modified in transit
- Protects against DNS cache poisoning, man-in-the-middle attacks, and DNS spoofing
How DNSSEC Works
- Creates a chain of trust starting from the DNS root zone down to individual domains
- Each DNS zone signs its records with a private key and publishes the corresponding public key
- DNS resolvers can verify signatures using the public keys, ensuring data authenticity
- Uses multiple record types to implement the security framework (see table below)
DNSSEC Record Types
| Record Type | Purpose | Contains |
|---|---|---|
| RRSIG | Resource Record Signature | Digital signature for a set of DNS records |
| DNSKEY | DNS Public Key | Public key used to verify RRSIG records |
| DS | Delegation Signer | Hash of child zone’s DNSKEY (creates chain of trust) |
| NSEC/NSEC3 | Next Secure | Proves non-existence of records (prevents enumeration) |
Validation Process
- Resolver queries for both the DNS record and its corresponding RRSIG signature
- Resolver obtains the DNSKEY record containing the public key
- Resolver verifies the RRSIG using the public key from DNSKEY
- If signature validation fails, resolver treats response as bogus and may return SERVFAIL
- Chain of trust validated from root zone (.) down to the specific domain
DNSSEC States
| State | Meaning | Resolver Action |
|---|---|---|
| Secure | Valid signature found | Accept and use response |
| Insecure | No DNSSEC signatures present | Accept response (traditional DNS) |
| Bogus | Invalid or missing signature | Reject response, return error |
| Indeterminate | Cannot validate due to configuration issues | Depends on resolver policy |
Vocabulary
- Chain of Trust: Hierarchical validation path from root DNS servers down to individual domains
- Zone Signing: Process of adding digital signatures to all records in a DNS zone
- Key Rollover: Periodic replacement of DNSSEC keys for security (similar to certificate renewal)
- Trust Anchor: Pre-configured public key that serves as starting point for validation chain
- Authenticated Denial: DNSSEC’s ability to prove that a DNS record doesn’t exist
Notes
- DNSSEC does not encrypt DNS queries or responses - only provides authentication and integrity
- Significantly increases DNS response size (can be 3-10x larger due to signatures and keys)
- Requires careful key management - lost private keys can make entire domains unreachable
- Not all DNS resolvers validate DNSSEC by default (many ISP resolvers ignore DNSSEC)
- Use
dig +dnssec example.comto test DNSSEC validation from command line - Common implementation: authoritative servers sign zones, recursive resolvers validate signatures
- Breaking change: Misconfigured DNSSEC can make domains completely inaccessible to validating resolvers
- Popular validators: Google DNS (8.8.8.8), Cloudflare (1.1.1.1), Quad9 (9.9.9.9)
- Enterprise networks should configure internal resolvers to validate DNSSEC for external queries while maintaining internal DNS zones