To interpret or understand DNSSEC first requires a basic knowledge of how the DNS system works.
DNSSEC are the Domain Name System Security Extensions (DNSSEC) are a set of Internet Engineering Working Group (IETF) specifications to protect certain types of information provided by the Domain Name System (DNS) such as It is used in Internet Protocol (IP) networks. It is a set of DNS extensions that provide DNS clients (solvers) with cryptographic authentication of DNS data, denial of authenticated existence and data integrity, but not availability or confidentiality.
The DNS is used to translate domain names (such as example.com) into numerical Internet addresses (such as 18.104.22.168).
Although this address system is very efficient for computers to read and process data, it is extremely difficult for people to remember it. Suppose that every time you need to consult a website, you must remember the IP address of the machine where you are. People often call the DNS system the "Internet phone book."
To solve this problem, a numerical IP address was attached to each domain name. The website addresses that we know are actually domain names.
The domain name information is stored and accessed on special servers, known as domain name servers, which convert the domain names into IP addresses and vice versa.
The top level of the DNS resides in the root zone, where all IP addresses and domain names are kept in the databases and sorted by top level domain name, such as .com, .net, .org, etc.
When the DNS was first implemented, it was not secured and, shortly after use, several vulnerabilities were discovered. As a result, a security system was developed in the form of extensions that could be added to existing DNS protocols.
Domain Name System Security Extensions (DNSSEC) are a set of protocols that add a security layer to the domain name system (DNS) search and exchange processes, which have become an integral part of access to websites over the Internet.
DNSSEC aims to strengthen Internet trust by helping to protect users from redirecting to fraudulent websites and unwanted addresses. In this way, malicious activities such as cache poisoning, pharming and man attacks in between can be prevented.
DNSSEC authenticates the resolution of IP addresses with a cryptographic signature, to ensure that the responses provided by the DNS server are valid and authentic. In case DNSSEC is correctly enabled for your domain name, visitors can make sure that they are connecting to the actual website corresponding to a particular domain name.
How DNSSEC works
The original purpose of DNSSEC was to protect Internet clients from counterfeit DNS data by verifying digital signatures embedded in the data.
When a visitor enters the domain name in a browser, the resolver verifies the digital signature.
If the digital signatures in the data match those stored in the master DNS servers, then the data can access the client computer that makes the request.
The DNSSEC digital signature ensures that you are communicating with the site or Internet location you wish to visit.
DNSSEC uses a system of public keys and digital signatures to verify the data. Simply add new records to DNS along with existing records. These new types of records, such as RRSIG and DNSKEY, can be retrieved in the same way as common records such as A, CNAME and MX.
These new records are used to digitally "sign" a domain, using a method known as public key cryptography.
A signed name server has a public and private key for each zone. When someone makes a request, they send signed information with their private key; the recipient unlocks it with the public key. If a third party tries to send untrusted information, it will not be unlocked correctly with the public key, so the recipient will know that the information is false.
Note that DNSSEC does not provide data confidentiality because it does not include encryption algorithms. It only carries the necessary keys to authenticate DNS data as genuine or genuinely unavailable.
In addition, DNSSEC does not protect against DDoS attacks.
Keys used by DNSSEC
DNSSEC uses two types of keys:
· The zone signature key (ZSK): used to sign and validate the individual recordsets within the zone.
· The key signature key (KSK): used to sign the DNSKEY records in the zone.
Both keys are stored as "DNSKEY" records in the zone file.
See the DS record
The DS record means Delegation Signer, and contains a unique string of your public key, as well as metadata about the key, such as what algorithm you use.
Each DS record consists of four fields: KeyTag, Algorithm, DigestType and Digest and looks like this:
We can divide different components of the DS register to see what information each part contains:
Example.com - domain name for which the DS is.
3600 - TTL, the time the record can remain in cache.
IN means internet.
2371 - Key tag, key ID.
13 - type of algorithm. Each algorithm allowed in DNSSEC has a specified number. Algorithm 13 is ECDSA with a P-256 curve using SHA-256.
2 - Type of summary, or the hash function that was used to generate the summary from the public key.
The long string at the end is the summary, or the hash of the public key.