Building on our knowledge of DNS vulnerabilities, we introduce DNSSEC (DNS Security Extensions). DNSSEC does not encrypt DNS queriesβanyone can still see what websites you are visiting. Instead, it uses Digital Signatures to ensure that the answer you receive is authentic and has not been tampered with.
DNSSEC introduces several new record types that allow a resolver to verify the data. The most critical are the DNSKEY, which holds the public key used for verification, and the RRSIG, which is the actual signature of a record set.
π‘ An RRSIG (Resource Record Signature) is not a signature of a single record, but a signature of an 'RRset' (a group of records of the same type, such as all A records for a domain).
When a validating resolver receives a response, it fetches the DNSKEY. It then uses that public key to decrypt the RRSIG and verify that the hash of the record matches. If the signature is invalid, the resolver drops the packet and returns a 'SERVFAIL' error.
If an attacker can spoof the DNSKEY, they can simply sign a fake record with their own key. To prevent this, we use the DS (Delegation Signer) record. The DS record is a hash of the child's public key, and it is stored in the **Parent Zone** (e.g., the `.com` zone stores the DS record for `google.com`).
β οΈ If the DS record in the parent zone does not match the DNSKEY in the child zone, the entire chain of trust is broken, and the domain will become unreachable for all validating users.
| Record | Full Name | Purpose | Analogy |
|---|---|---|---|
| DNSKEY | DNS Public Key | Holds the public key for verification | The Official Seal |
| RRSIG | Resource Record Signature | The digital signature of the data | The Signed Document |
| DS | Delegation Signer | Verifies the child's DNSKEY via the parent | The Notary's Reference |
| NSEC | Next Secure | Proves a record does NOT exist | The 'Empty' Page |
How do you sign a 'No such domain' response? You can't sign something that isn't there. NSEC (Next Secure) solves this by listing the 'gap' between existing records. For example, it says 'The record after A is C; therefore, B does not exist'. However, this allows attackers to 'enumerate' every record in a zone.
NSEC3 fixes this by using hashed names instead of cleartext names, preventing attackers from easily mapping the entire zone while still proving non-existence.
DNSSEC significantly increases the size of DNS responses. This makes DNSSEC-enabled servers a favorite target for DNS Amplification DDoS attacks.
Verify exercises to earn β 140 XP and unlock next lab level.