Ref: https://learn.cantrill.io/courses/2022818/lectures/45637096

YouTube: https://www.youtube.com/watch?v=thAUzOnUvP4

• Summary:
• Contents:

DNSSEC core concepts and characteristics

• 🔧 DNSSEC = a secure add-on for DNS, which provides additional functionality
• Provides:
  1. Data origin authentication
     • “the data comes from this zone, guaranteed”
  2. Data integrity protection
     • “the data hasn't been modified or tampered in transit”
  3. Chain of trust
     • DNS Root trusts the TLDs, and TLDs trust the domains, all via DNSSEC
• ‼️ DNSSEC does NOT correct anything! It only confirms that a DNS result is valid!
• Uses PKI (Public Key Infrastructure) to establish the DNS chain of trust
• ❗ Adds to DNS, doesn't replace it!
  • Backwards compatible with devices that only use DNS without DNSSEC
  • DNS-only clients receive DNS records
  • DNSSEC clients receive both DNS and DNSSEC records
  • DNSSEC is an add-on to DNS, not a replacement → Summary Diagram:
• CLI command: dig <DOMAIN_NAME> [+dnssec] - useful tool for interrogating DNS servers
  • dig stands for domain information groper
  • dig www.icann.org - retrieve DNS records stored in this machine for www.icann.org
  • dig www.icann.org +dnssec - retrieve both DNS and DNSSEC records stored in this machine for www.icann.org
    • includes RRSIG (digital signature of the resource record it corresponds to)

Why do we need DNSSEC?

• Without DNSSEC we would not be able to fully trust DNS results, as DNS can be exploited

• Possible (simplified) scenario to exploit DNS:

  

  • Hacker sends a request to walk the DNS tree
  • In the middle of the process he tells the resolver “I'm the authoritative NS for the DNS request, here is the result for your query” (poisoned result)
  • Resolver stores the result in its cache and now users are redirected to wrong places