In this lab, you will secure a DNS zone. You will move beyond standard DNS, which is vulnerable to cache poisoning, and implement DNSSEC to provide cryptographic proof of authenticity for your DNS records.
DNSSEC uses two types of keys: the Zone Signing Key (ZSK) for the records, and the Key Signing Key (KSK) to sign the ZSK.
๐ก The KSK is the 'Root of Trust' for your zone. It is rarely changed, while the ZSK is rotated more frequently.
Once the keys are ready, we use the `dnssec-signzone` tool to create the digital signatures (RRSIG) and the public key records (DNSKEY) for the zone.
# Sign the zone file 'db.example.com'
dnssec-signzone -N INCREMENTAL -S -o example.com db.example.com
# This produces:
# db.example.com.signed (The actual signed zone)
# Kzsk...key (ZSK)
# Kksk...key (KSK)The signed zone now contains RRSIG records. Any recursive resolver that supports DNSSEC will now verify these signatures before returning the IP to the user.
The DS record must be uploaded to the parent zone (e.g., the .com registry). This allows the parent to vouch for your KSK, completing the chain of trust from the Root โ TLD โ Your Zone.
| Record Type | Purpose | Analogy |
|---|---|---|
| DNSKEY | Public key of ZSK/KSK | The actual ID card |
| RRSIG | Signature of a record set | The notary stamp |
| DS | Hash of the KSK | The recommendation from the boss |
| NSEC3 | Proof of non-existence | A certified 'Not Found' note |
We use the `dig` tool with the `+dnssec` flag to verify that the records are being signed and validated correctly.
A misconfigured DNSSEC setup is worse than no DNSSEC at all. If the signatures are wrong or the DS record is missing, the entire domain will appear 'NXDOMAIN' (non-existent) to the world.
Verify exercises to earn โ 220 XP and unlock next lab level.