The Two Sides of DNSSEC – Signing and Validation

The Two Sides of DNSSECThere are two sides of DNSSEC, Signing and Validation, that together provide the increased level of security offered by DNSSEC and services such as DANE.  Both side are necessary for the overall deployment, but both can be implemented completely separately. For instance, you can deploy DNSSEC validation today on your local network or in your application, with or without also signing your domains.  Similarly, you can sign your domains with DNSSEC without having validation happening on your local network, which would mean that other people could validate the security of your domain even if you couldn’t.

At a high level, here are the two different sides of DNSSEC:

  • Signing – your domain is “signed” by the organization operating the name servers for the domain. This could be a “DNS hosting” provider, a “web hosting provider”, a registrar (who offers DNS hosting), your own DNS “authoritative servers” or someone else you have operating the name servers on your behalf.  Once the domain is signed with DNSSEC, certain information is passed up to the registrar with whom you registered the domain and from there on up to the top-level domain (TLD) registry – these connections create the “global chain of trust” that enables DNSSEC-validating DNS resolvers to know that your information is secure.
  • Validation – whenever you (or your software) want to resolve a domain name into an IP address, a request is sent to your local “DNS resolver” to obtain the information.  That “recursive resolver” then goes out and queries different DNS servers to find out the information.  With DNSSEC, that DNS resolver will also validate the cryptographic signatures to ensure that the DNS information was not modified in transit.  This “DNSSEC-validating DNS resolver” might be on the edge of your local network (ex. in a firewall or home router) or it might be out at your Internet Service Provider’s (ISP’s) network, or in some cases it might be a public service such as Google’s Public DNS. Or, it might be built into the application you are using such as a web browser or mail server. (Read about where we think DNSSEC validation should occur at different levels of the DNS infrastructure.)

Let’s explore each side of DNSSEC in more detail…

Signing

What is signing for DNSSEC?

When you “sign” your domain, you generate cryptographic signatures in your DNS “zone file” that are used by DNSSEC-validating DNS resolvers to verify that your records match.  Basically, the DNS name server that is “authoritative” for your domain publishes additional records (ex. a “RRSIG” and a “DNSKEY”) that provide this information.

The process works like this:

  • Using a private key, the name server generates a “signature” for each “set” of records, such as all the “A” records, all the “AAAA” records or all the “TXT” records.
  • That signature is stored in a “RRSIG” record for each set of records.  Your domain zone file will therefore have multiple RRSIG records, one for each of the different types of DNS records stored in the file.
  • The public key is then stored in a “DNSKEY” record

Additionally, a “Delegation Signer (DS)” record is generated that is (somehow) provided to your registrar who provides that to your TLD registry to link your domain in to the “global chain of trust”.

Note that every time a DNS record is changed (such as a website address is updated), a new DNSSEC signature must be generated for that set of records.

Who performs the signing?

DNSSEC signing is performed by the operator of the name servers that are “authoritative” for your domain. These name servers could be operated by:

  • a DNS hosting provider
  • your registrar with whom you registered the domain (who also provides DNS hosting services)
  • a web hosting provider who also provides DNS hosting
  • your own authoritative DNS servers (or those of someone else who is publishing the domain on your behalf)

The name servers sign the domain to create the appropriate DNSSEC records (ex. RRSIG, DNSKEY) and then re-sign the domain when records change.

When is signing performed?

You can start signing your domain at any time.  All you need is to have the operator of your domain’s name servers to be able to perform the initial signing of the domain.  Some registrars who also provide DNS hosting have made it so that when you register a domain it can start out being signed from the very beginning.

Subsequent signing can be performed anytime, but should be performed on a regular basis according to the organization’s DNSSEC Practice Statement (DPS).

Validation

What is validation of a domain?

Validation is performed by “DNSSEC-validating DNS resolvers”.  Validation consists of cryptographically checking DNSSEC signatures.  As part of the validation, the DNS resolver also checks the “global chain of trust” from the root of DNS all the way down to the domain to ensure that the information has not been modified. (Please see our DNSSEC Basics page for more information.)

Operating properly, an installed and configured DNSSEC-validating secure DNS server will:

  • resolve DNS domains that are DNSSEC-signed and validated correctly (AD flag)
  • reject DNS domain with broken DNSSEC are not validated (SERVFAIL)
  • allow non-DNSSEC-signed domains to resolve

Who performs validation?

DNSSEC validation can be performed by a DNS resolver running at any point in your network, including:

  • Directly within an application on your computer such as a web browser, instant messaging client or mail server or client.
  • In a DNS resolver on your local computer either included as part of the operating system or installed by you (ex. DNSSEC-Trigger)
  • At the edge of your local network in a firewall or “home WiFi router”
  • At the DNS resolvers provided to you by your Internet Service Provider (ISP)
  • At public DNS resolvers such as those operated by Google’s Public DNS

Our document about where DNSSEC validation needs to occur goes into more detail about the different points where DNSSEC validation can occur and why or why not you might want DNSSEC validation to happen at that level.

How can I test DNSSEC validation on my network?

To test that DNSSEC validation is working on your network, you can visit:

If you go to one of the sites with a known bad signature you should fail to see the page.  If you do see the page you may want to check that your system is correctly configured to use the DNS resolver that you believe should be performing DNSSEC validation.  Some of the DNSSEC tools that are out there may help you with this testing.

 

August 5th, 2014 by | Posted in DNSSEC | Tags: | 8 Comments

8 Responses to The Two Sides of DNSSEC – Signing and Validation

  1. […] that is used to ensure the correct validation of DNSSEC signatures (for more info see “The Two Sides of DNSSEC“) and so it is critical that the security and integrity of this root key be maintained. […]

  2. […] for me because I use a different operator for my DNS servers than my registrar.  If you think of the different players involved in the DNSSEC process, very often a registrar is also acting as a DNS hosting operator.  In other words, when you […]

  3. […] Had this been in place, then the sending mail server would not have received the false MX record and would not have delivered the email to the attacker’s server.  You can read more in our document about the two sides of DNSSEC. […]

  4. […] that is used to ensure the correct validation of DNSSEC signatures (for more info see “The Two Sides of DNSSEC“) and so it is critical that the security and integrity of this root key be maintained. […]

  5. […] article and Tony Morbin was kind enough to include some of the comments I’d provided about the two sides of DNSSEC. There’s also a side article from Jim Galvin about the registrar-related themes he’s […]

  6. […] the issue is this – on the signing side of DNSSEC, the process works like […]

  7. […] support of a current elliptic curve algorithm (ECDSA) in DNS resolvers (remembering that there are two sides to DNSSEC).  Jim Galvin then provided a view of DNSSEC algorithms from a registry perspective.  Olafur […]

  8. […] support of a current elliptic curve algorithm (ECDSA) in DNS resolvers (remembering that there are two sides to DNSSEC). Jim Galvin then provided a view of DNSSEC algorithms from a registry perspective. Olafur reported […]

Leave a Reply

Your email address will not be published. Required fields are marked *