DNSSEC articles & deep dives
Understanding DNSSEC: A Complete Guide
DNSSEC (DNS Security Extensions) is a critical security protocol that adds cryptographic authentication
to the Domain Name System. Unlike traditional DNS, which is vulnerable to spoofing and cache poisoning
attacks, DNSSEC ensures that DNS responses are authentic and haven't been tampered with.
The protocol uses public-key cryptography, where each DNS zone has a pair of keys: a private key
(kept secret) and a public key (published in DNSKEY records). When a DNS resolver receives a response,
it can verify the signature using the public key, ensuring the data's integrity and authenticity.
DNSSEC provides three key security properties: authenticity (proves data came from the
authoritative source), integrity (proves data hasn't been modified), and
authenticated denial (proves a record doesn't exist). However, it does not provide
confidentiality - DNS data remains unencrypted.
The DNSSEC Chain of Trust Explained
The chain of trust is the foundation of DNSSEC validation. It creates a hierarchical path of trust
from the root zone (the ultimate trust anchor) down through top-level domains (TLDs) to your specific domain.
Here's how it works:
- Root Zone: The root zone's public key is the trust anchor that everyone trusts. This key is hardcoded into DNS resolvers and browsers.
- TLD Level: The root zone signs the TLD's (like .com, .org) DNSKEY using a DS record. This creates the first link in the chain.
- Domain Level: The TLD signs your domain's DNSKEY using another DS record, completing the chain.
If any link in this chain is broken or missing, DNSSEC validation fails, and resolvers will refuse
to return the DNS data, protecting users from potentially malicious responses.
Key Signing Keys vs Zone Signing Keys
DNSSEC uses a two-key system for operational flexibility and security:
Key Signing Key (KSK)
- Long-lived (1-2 years)
- Signs Zone Signing Keys
- Creates DS records for parent zone
- Flag 256 (SEP bit set)
- Less frequent rotation
Zone Signing Key (ZSK)
- Shorter-lived (3 months)
- Signs actual DNS records
- Creates RRSIG records
- Flag 128 (Zone Key bit set)
- More frequent rotation
This separation allows for more frequent ZSK rotation without requiring changes to the parent zone's
DS records, which would require coordination with your registrar.
NSEC vs NSEC3: Which Should You Use?
Both NSEC and NSEC3 provide authenticated denial of existence, but they differ significantly in their
approach to security and privacy.
NSEC (Next Secure) records list all record types that exist for a domain name,
creating a chain that proves non-existence. However, this reveals your entire zone structure, making
it vulnerable to zone enumeration attacks where attackers can discover all your subdomains.
NSEC3 (Next Secure version 3) solves this problem by using cryptographic hashing.
Instead of listing actual domain names, NSEC3 records contain hashed values, making it computationally
infeasible to enumerate your zone. NSEC3PARAM records define the hashing parameters.
Recommendation: Use NSEC3 for production domains to prevent zone enumeration.
NSEC is acceptable for test environments or when zone enumeration is not a concern.
Common DNSSEC Algorithms: A Comparison
DNSSEC supports multiple cryptographic algorithms, each with different characteristics:
RSA Algorithms (8, 10): Widely supported and well-tested. RSA-SHA-256 (algorithm 8)
is the most common. RSA-SHA-512 (algorithm 10) provides stronger security but larger key sizes.
ECDSA Algorithms (13, 14): Modern, efficient algorithms. ECDSAP256SHA256 (algorithm 13)
provides equivalent security to RSA-3072 with much smaller keys (256 bits vs 3072 bits).
ECDSAP384SHA384 (algorithm 14) offers even stronger security.
Edwards-Curve Algorithms (15, 16): The newest options. Ed25519 (algorithm 15) and
Ed448 (algorithm 16) are highly efficient but have less widespread support.
Best Practice: Use algorithm 13 (ECDSAP256SHA256) for new deployments. It offers
the best balance of security, performance, and compatibility.
Troubleshooting DNSSEC Issues
Common DNSSEC problems and their solutions:
Validation Failures
If DNSSEC validation fails, check: DS records are correctly added to parent zone, DNSKEY records
are published, RRSIG records are present and not expired, and the chain of trust is unbroken.
Expired Signatures
RRSIG records have expiration times. If signatures expire before being re-signed, validation fails.
Ensure your DNS provider automatically re-signs records before expiration.
Key Rotation Problems
When rotating keys, maintain both old and new keys during the transition period. Update DS records
in the parent zone only after the new key is fully propagated.