Ref: https://learn.cantrill.io/courses/2022818/lectures/45637100

YouTube: https://www.youtube.com/watch?v=1VqscYMG_Rs

• Summary:
• Contents:

The Internet Trust Anchor

Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/0400-TECH_FUNDAMENTALS/00_LEARNINGAIDS/DNSSEC101-9.png

• ❗ DNS Root Zone has no parent zone
  • Everyone must explicitly trust the KSK pair of the Root Zone
    • 💡 Hence this KSK pair is super, super important!
  • ❗ KSK pair of Root Zone rarely changes/rotates
• Private KSK of "." DNS Root Zone = The trust anchor = the key to the Internet
  • Used to sign DNSKEY records in the Root Zone
  • One copy in California, another in Virginia
  • Locked away, protected, never exposed, never moved
    • Stored in HSMs that are redundant across physical locations
    • Access to HSMs is highly restricted
    • HSMs are never moved, always stay in their location
• Public KSK of "." DNS Root Zone
  • Verifies validity of RRSIG of DNSKEY records of the Root Zone
    • ❗ Thus verifies the absolute trust in the DNS chain of trust
  • Publicly accessible to everyone in the DNSKEY records of the Root Zone
  • Also hard-coded into all DNSSEC clients
    • 💡 Rotating KSK of Root Zone implies updating all DNSSEC SW → that's a pain, and why it rarely happens
• Root Zone ZSK pair
  • Private ZSK of Root Zone signs all RRSETs in the Root Zone, Public ZSK verifies them
  • Used since it's not convenient nor practical to use the private KSK often
  • 🔧 Rotation of Root Zone's ZSK pair happens regularly → DNS Root Signing Ceremonies

DNS Root Zone ZSK Signing Ceremony

Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/0400-TECH_FUNDAMENTALS/00_LEARNINGAIDS/DNSSEC101-10.png

• Ceremonies happen every 3 months, important people attend and it's very secure
  • Ceremonies are recorded, broadcasted and publicly audited
  • Independent crypto officers need to share their operator cards for the HSMs to open
  • The ceremony administrator accesses the private Root KSK via an ad-hoc laptop
• Purpose of ceremony: rotate Root ZSK pair & sign the updated Root DNSKEY records
  1. Generate a new Root ZSK pair, store new public Root ZSK in DNSKEY records
  2. Access private Root KSK (stored inside highly restricted HSM)
  3. Use private Root KSK to sign the updated Root DNSKEY records
  4. RRSIG of the updated Root DNSKEY records is generated
     • ❗ From here on the chain is created & trusted
  5. New private Root ZSK can now be used to generate all the other RRSIGs of Root Zone
  • 🔧 Summary: take the Root KSK that everyone trusts, sign Root ZSKs (which can be used operationally) & then start chain of trust with domain owners
• More info: https://www.cloudflare.com/dns/dnssec/root-signing-ceremony/
  • 💡 The assumed trust in the Root Zone is a very human side of securing the Internet: you can trust the root DNS servers because you can trust the people signing it. You can trust the people signing it because of the strict protocols they follow while doing so.