Donate
‹ Back
Deploy360 1 September 2016

New RFC 7958 – DNSSEC Trust Anchor Publication for the Root Zone

Dan York
By Dan YorkDirector of Web Strategy
RFC 7958 text

How can you trust the root of the “global chain of trust” that is used in DNSSEC? How can you be sure as you are validating DNSSEC signatures that this global chain works?

To provide this chain of validation, DNSSEC relies on what is called a “trust anchor”. When you check the signature for DNS records for “internetsociety.org”, for instance, you go through a process along the lines of this (a simplified version):

  1. Your validating recursive resolver gets the DNS records (such as “A” or “AAAA”) for “INTERNETSOCIETY.ORG” along with the DNSSEC signature in a RRSIG record and the public key used for the signing in a DNSKEY record.
  2. It then retrieves the DS record for “INTERNETSOCIETY.ORG” from .ORG to verify that this is the correct DNSKEY.  It also retrieves a RRSIG record for the DS record and the DNSKEY record from .ORG.
  3. Next it retrieves the DS record for “.ORG” from the root of DNS, along with the associated RRSIG for the DS record and the DNSKEY for the root.
  4. HERE IS THE CHALLENGE – How does your recursive resolver know that the DNSKEY it retrieved for the root of DNS is the correct one?

This is where there is a need for a “trust anchor” that the recursive resolver can trust to know that this is indeed the correct DNSKEY it should be using.

The DNSSEC protocol can be used with any trust anchor, but in practice we all use the DNSSEC trust anchors published by IANA (with ICANN doing the actual publishing as part of their contract to perform the IANA functions).

A new informational (non-standard) RFC 7958 out this week explains the formats IANA uses to publish the root key trust anchors and how those trust anchors can be retrieved.  It also outlines additional steps that can be taken during the retrieval to ensure the trust anchors aren’t modified during the retrieval.

In 2017 we will see a change in the Root Key Signing Key (KSK) in 2017, which will mean a change in the root trust anchor. This RFC 7958 is a good reference to have out there so that everyone can understand exactly how to retrieve and use the trust anchors at the heart of DNSSEC.

Please do read this new RFC and share it widely with anyone involved in developing applications or services that perform DNS resolution and validation.

And if you know very little about DNSSEC but want to learn more, please visit our Start Here page to find resources to help you get started!

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

New RFC 7344 - Aiming To Solve The DS Upload Issue in DNSSEC
Deploy3605 September 2014

New RFC 7344 – Aiming To Solve The DS Upload Issue in DNSSEC

How can we automate the communication between a DNS operator and a registrar when a DNSSEC key has changed? I...

In September, Singapore and Senegal Signed Their .SN and .SG with DNSSEC
2 November 2016

In September, Singapore and Senegal Signed Their .SN and .SG with DNSSEC

Congratulations to the teams in both Singapore and Senegal for signing their country-code top-level domains (ccTLDs) with DNSSEC back in...

No, DNSSEC Would NOT Help Prevent Microsoft's Seizure Of Domains
Deploy3602 July 2014

No, DNSSEC Would NOT Help Prevent Microsoft's Seizure Of Domains

With a great bit of the tech media's attention this week on Microsoft's court-sanctioned seizure of 23 domains from dynamic DNS...

Join the conversation with Internet Society members around the world