Networking / Beginners

DNS Security Extensions (DNSEC)

DNSEC are the DNS security extensions provided by the work group (WG) formed in 1994 by IETF. This was done because of the security issues haunting DNS servers.

The primary aim of this WG was to provide the information in DNS zones with authentication and integrity. This was achieved through the use of public key technology and is based on the use of cryptographic signatures like the TSIG concept. The need for public key cryptography arises due to the problems faced by the TSIG. Some of these problems are listed here:

  • Trouble in maintaining too many keys at a time.
  • Once somebody gains access to the server, the keys can be easily retrieved.

Public Key Encryptography

Public key encryptography is used for safe transactions between two computers. A computer first creates a key pair. This key pair is generated using an asymmetric cryptographic algorithm where one key is used to decrypt the data and the other key is used to encrypt the data.

After a key pair is made, the public key can be placed for anyone who wants to communicate with that computer. To communicate with the computer, the message is encrypted using the public key of the receiving computer.When the message is received, the computer decrypts it using its private key. Therefore, if the private key is saved securely, the genuine computer will only read the message.

Signing and verification of a message also is possible by using digital signatures. In this process, first the hash value of the message is calculated and then it is encrypted. This encrypted hash value is called a digital signature, which is then sent along with the message. The receiver can authenticate it by first decrypting the digital signature and then by computing the hash value of the message. The message is considered genuine if the two hash values match.

Signing and Verification of a Message

The process of signing and verifying a message is used because asymmetric algorithms for encryption usually take more time to encrypt, and therefore, encrypting the whole message can be really time-consuming. Some resource records also were created with DNSSEC to assist it. These records are discussed in the following sections.

KEY Record

Key record or key RR is a general record used for storing various public cryptographic keys. It stores information like the public key, protocol type, algorithm type, and flags for various purposes.

SIG Record

SIG RR is used to store the digital signature of the private key. It also provides the signature's validity time and authentication. If more than one algorithm for encryption is used to sign the resource records, more SIG RR will be required.

NXT Record

All records in a zone are sorted in alphabetical order.Whenever a request generates a negative response, it implies that the query has no corresponding RRSet.

RRSets that are not present also are given signatures to authenticate their absence. This is done using NXT RR. NXT RR indicates the following:

  1. The range of unavailable DNS names
  2. The list of absent RRSets for an existing DNS name
[Previous] [Contents] [Next]