What is DNSSEC and How it Works?

DNSSEC, short for Domain Name System Security Extentions, is a collection of extensions which add security to DNS protocol by validating DNS responses. DNSSEC managed to do so by adding cryptographic signatures to DNS records. These signature are stored alongside other records. By checking the signature, you can verify that the DNS record wasn’t altered along its way to your computer.

Detailed on DNSSEC

So, lets compare between these two results:

tanto259@TANTOPC:~$ dig +short NS tanto259.name

and this

tanto259@TANTOPC:~$ dig +short +dnssec NS tanto259.name
NS 13 2 86400 20161209134236 20161207114236 35273 tanto259.name. 
8cMA70lc+nllxc3acWnSBPWTuSa+JHhtumbWXk7NI08qBTL2O+fNN4jo yILVrw4eIx95/owbG3sl3F4MyiJ2dA==

The first result doesn’t have DNSSEC enabled, while the second one does. DNSSEC add this signature in a Resource Record Signature (RRSIG) which is the signature made by your domain private key.

Next, to verify a DNSSEC records, a DNSSEC-enabled resolver would try and obtain your DNSKEY (your domain public key). To do so, it is as simple as:

tanto259@TANTOPC:~$ dig +short DNSKEY tanto259.name
256 3 13 koPbw9wmYZ7ggcjnQ6ayHyhHaDNMYELKTqT+qRGrZpWSccr/lBcrm10Z 1PuQHB3Azhii+sb0PYFkH1ruxLhe5g==
257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==

So, your resolvers already got the signature and the public keys. Now, what if your DNS was compromised and a hacker manage to modify these records? Therefore, now a resolver will search for your domain’s Delegation Signer (DS) records, which is the fingerprint of your public key. To do so, just:

tanto259@TANTOPC:~$ dig +short DS tanto259.name
2371 13 2 870659DAF73B085A1EEB49F85429675F292511E8E98ABDDC54B10F13 4EB82417

At this point you may ask: “Wouldn’t the DS record be compromised as well?” That’s a good question actually, but it have a simple solution. Unlike other records, the DS records is located not on your domain DNS zone but in your domain parent zone, in my case .name TLD. This prevents the attacker to modify the DS record.

Now, what a resolver needs to do, is verify your DNSKEY’s fingerprint with the one stated on your DS records and check the RRSIG records.

Two Key Types

Those with observant eyes may have notice that there are 2 DNSKEY listed above, and its true. There are 2 keys implemented. The one with the beginning “256” is a Zone Signing Key or ZSK while the other one with the beginning “257” is a Key Signing Key or KSK. Those two keys worked as a pair, and would improve both security and effiency. How they works is simple. A ZSK would sign your zone, while a KSK would sign the ZSK. Therefore, a ZSK should be a small-sized key to enable for shorter signature verifying and generating time while the KSK should have larger key to protect the ZSK. The most common key size for both are 1024 and 2048-bit RSA respectively.

NSEC Records

NSEC records are designed to prove that there are no records. When you query nothing.tanto259.name, you’ll get a NXDOMAIN:

nothing.tanto259.name.      3600    IN      NSEC    \000.nothing.tanto259.name. RRSIG NSEC

It tells that there are no records between nothing.tanto259.name and \000.nothing.tanto259.name, due to Cloudflare attempt in minimizing the size of answer, a NSEC on the missing name is return. If you did not use Cloudflare, the result would be:

dnssec-tools.org.       300     IN      NSEC    dane.dnssec-tools.org. A NS SOA MX TXT RRSIG NSEC DNSKEY

This states that there are no records between dnssec-tools.org and dane.dnssec-tools.org.

If you query a domain for a certain type of record, which the domain doesn’t have it will return a NSEC record like this:


Again, due to Cloudflare tricks, it will return every single type of DNS records except the one I queried for, which is the SPF record. If you did not use Cloudflare, the result would be:

dnssec-tools.org.       300     IN      NSEC    dane.dnssec-tools.org. A NS SOA MX TXT RRSIG NSEC DNSKEY

In this scenario, the NSEC returns every single type of records the domain have, indicating there are no SPF records, which I queried for.

To see why Cloudflare modifies the NSEC results see this blog post.

NSEC records carry a risk, someone could discover the entire content of a zone by “walking” through the NSEC records. To deal with this scenario, there is another type of record, the NSEC3 record. The NSEC3 record would hash records preventing the zone to be simply “walked”, but requires a more complicated DNS configuration. But, even with NSEC3, an attacker can still brute force the hash using a dictionary attack. Therefore, NSEC5 is currently being proposed to prevent zone enumerations.

Implementing DNSSEC

In order to be able to implement DNSSEC, there are three requirements:

  • Your domain parent zone must support DNSSEC
    To find out whether your TLD supports DNSSEC just do:
    tanto259@TANTOPC:~$ dig +short DNSKEY name
    257 3 8 AQO2wz1Nu9eNa/btHscHEI/DflGr/S8gBbz96uB1Gv6PcBbeFlYm1AgO 
    +605BKxAd9aJDSKLA4PUvOAc9Q06WYoOBmpfLxktVndEeM2urlYn IOgFTqa5
    256 3 8 AQO7swG4c3SMhE7vhf/DQQnsyOkO+uKqQJJ21BKDey3cfp7QaMDCb9MJ 
    Qcna1l/1I48QWObUE57ymHKwumJo/LuLVqQxsW9jEIYzSCBHu/6ENnfN dIAyGQ==
    tanto259@TANTOPC:~$ dig +short DNSKEY tk

    As you could see above the .NAME TLD supports DNSSEC while the .TK ccTLD does not. Or, you can also check ICANN’s DNSSEC Report List.

  • Your Registar must support DNSSEC by providing a way to upload your DS record to the parent zone
  • Your DNS must support DNSSEC.
    Personally I settled with Cloudflare as they support DNSSEC in just a click of a button.

Once all three requirements fulfilled, you can just generate your DS records. If you use Cloudflare just click the Enable DNSSEC button in the DNS tab. But if you have your own DNS server, you need to generate your own DNSKEY and DS record. After obtaining the DS record, input the record to your registrar and wait. Soon your domain will be DNSSEC-enabled.

Verifying your domain DNSSEC

Now that you activated DNSSEC, you can check whether you have implemented it correctly using this amazing tool by Verisign Labs.

You should get a green tick in your domain name like this: dnssecok

Here’s a list of related RFC regarding DNSSEC: