The Two Sides of DNSSEC – Signing and Validation
There are two sides of DNSSEC, Signing and Validation, that together provide the increased level of security offered by DNSSEC and services such as DANE. Both side are necessary for the overall deployment, but both can be implemented completely separately. For instance, you can deploy DNSSEC validation today on your local network or in your application, with or without also signing your domains. Similarly, you can sign your domains with DNSSEC without having validation happening on your local network, which would mean that other people could validate the security of your domain even if you couldn’t.
At a high level, here are the two different sides of DNSSEC:
- Signing – your domain is “signed” by the organization operating the name servers for the domain. This could be a “DNS hosting” provider, a “web hosting provider”, a registrar (who offers DNS hosting), your own DNS “authoritative servers” or someone else you have operating the name servers on your behalf. Once the domain is signed with DNSSEC, certain information is passed up to the registrar with whom you registered the domain and from there on up to the top-level domain (TLD) registry – these connections create the “global chain of trust” that enables DNSSEC-validating DNS resolvers to know that your information is secure.
- Validation – whenever you (or your software) want to resolve a domain name into an IP address, a request is sent to your local “DNS resolver” to obtain the information. That “recursive resolver” then goes out and queries different DNS servers to find out the information. With DNSSEC, that DNS resolver will also validate the cryptographic signatures to ensure that the DNS information was not modified in transit. This “DNSSEC-validating DNS resolver” might be on the edge of your local network (ex. in a firewall or home router) or it might be out at your Internet Service Provider’s (ISP’s) network, or in some cases it might be a public service such as Google’s Public DNS. Or, it might be built into the application you are using such as a web browser or mail server. (Read about where we think DNSSEC validation should occur at different levels of the DNS infrastructure.)
Let’s explore each side of DNSSEC in more detail…
What is signing for DNSSEC?
When you “sign” your domain, you generate cryptographic signatures in your DNS “zone file” that are used by DNSSEC-validating DNS resolvers to verify that your records match. Basically, the DNS name server that is “authoritative” for your domain publishes additional records (ex. a “RRSIG” and a “DNSKEY”) that provide this information.
The process works like this:
- Using a private key, the name server generates a “signature” for each “set” of records, such as all the “A” records, all the “AAAA” records or all the “TXT” records.
- That signature is stored in a “RRSIG” record for each set of records. Your domain zone file will therefore have multiple RRSIG records, one for each of the different types of DNS records stored in the file.
- The public key is then stored in a “DNSKEY” record
Additionally, a “Delegation Signer (DS)” record is generated that is (somehow) provided to your registrar who provides that to your TLD registry to link your domain in to the “global chain of trust”.
Note that every time a DNS record is changed (such as a website address is updated), a new DNSSEC signature must be generated for that set of records.
Who performs the signing?
DNSSEC signing is performed by the operator of the name servers that are “authoritative” for your domain. These name servers could be operated by:
- a DNS hosting provider
- your registrar with whom you registered the domain (who also provides DNS hosting services)
- a web hosting provider who also provides DNS hosting
- your own authoritative DNS servers (or those of someone else who is publishing the domain on your behalf)
The name servers sign the domain to create the appropriate DNSSEC records (ex. RRSIG, DNSKEY) and then re-sign the domain when records change.
When is signing performed?
You can start signing your domain at any time. All you need is to have the operator of your domain’s name servers to be able to perform the initial signing of the domain. Some registrars who also provide DNS hosting have made it so that when you register a domain it can start out being signed from the very beginning.
Subsequent signing can be performed anytime, but should be performed on a regular basis according to the organization’s DNSSEC Practice Statement (DPS).
What is validation of a domain?
Validation is performed by “DNSSEC-validating DNS resolvers”. Validation consists of cryptographically checking DNSSEC signatures. As part of the validation, the DNS resolver also checks the “global chain of trust” from the root of DNS all the way down to the domain to ensure that the information has not been modified. (Please see our DNSSEC Basics page for more information.)
Operating properly, an installed and configured DNSSEC-validating secure DNS server will:
- resolve DNS domains that are DNSSEC-signed and validated correctly (AD flag)
- reject DNS domain with broken DNSSEC are not validated (SERVFAIL)
- allow non-DNSSEC-signed domains to resolve
Who performs validation?
DNSSEC validation can be performed by a DNS resolver running at any point in your network, including:
- Directly within an application on your computer such as a web browser, instant messaging client or mail server or client.
- In a DNS resolver on your local computer either included as part of the operating system or installed by you (ex. DNSSEC-Trigger)
- At the edge of your local network in a firewall or “home WiFi router”
- At the DNS resolvers provided to you by your Internet Service Provider (ISP)
- At public DNS resolvers such as those operated by Google’s Public DNS
Our document about where DNSSEC validation needs to occur goes into more detail about the different points where DNSSEC validation can occur and why or why not you might want DNSSEC validation to happen at that level.
How can I test DNSSEC validation on my network?
To test that DNSSEC validation is working on your network, you can visit:
If you go to one of the sites with a known bad signature you should fail to see the page. If you do see the page you may want to check that your system is correctly configured to use the DNS resolver that you believe should be performing DNSSEC validation. Some of the DNSSEC tools that are out there may help you with this testing.