What is DNSSEC?
DNSSEC (Domain Name System Security Extensions) is a suite of cryptographic extensions to DNS that authenticates DNS responses by adding digital signatures to records, preventing attackers from forging or manipulating DNS data.How DNSSEC Works
Chain of Trust:
Root Zone (.)
├── Signs: .com zone key
│ └── KSK (Key Signing Key)
│ └── ZSK (Zone Signing Key)
│
TLD Zone (.com)
├── Signs: example.com zone key
│ └── DS Record points to child KSK
│
Domain Zone (example.com)
├── Signs: All DNS records
│ └── RRSIG (Record Signature)
│ └── DNSKEY (Public keys)
│
Resolver validates entire chain from root
DNSSEC Record Types
| Record | Purpose | Description |
|---|---|---|
| RRSIG | Signature | Cryptographic signature for each record set |
| DNSKEY | Public Key | Zone's public signing keys (KSK and ZSK) |
| DS | Delegation Signer | Hash of child zone's KSK in parent zone |
| NSEC/NSEC3 | Authenticated Denial | Proves a record doesn't exist |
Key Types
| Key | Purpose | Rotation Frequency |
|---|---|---|
| KSK (Key Signing Key) | Signs DNSKEY records | Annually or less |
| ZSK (Zone Signing Key) | Signs all other records | Monthly to quarterly |
DNSSEC Validation Process
1. Client queries DNS resolver for example.com A record
2. Resolver retrieves A record + RRSIG signature
3. Resolver fetches DNSKEY to verify RRSIG
4. Resolver validates DS record against DNSKEY
5. Chain continues to root, verifying each level
6. If all signatures valid, response is authenticated
Threats DNSSEC Prevents
| Attack | Description | DNSSEC Protection |
|---|---|---|
| Cache Poisoning | Injecting false records into cache | Signatures detect tampering |
| Man-in-the-Middle | Intercepting and altering responses | Cryptographic validation fails |
| DNS Spoofing | Returning fake IP addresses | Forged records lack valid signature |
Implementation Considerations
- Performance: Larger responses due to signatures (~1000-4000 bytes vs ~100 bytes)
- Key management: Requires secure key generation, storage, and rotation
- Zone signing: Must re-sign zone when records change
- Resolver support: Clients need DNSSEC-validating resolvers
Best Practices
1. Use algorithm 13 or 14: ECDSA provides smaller signatures than RSA
2. Automate key rotation: Use tools like OpenDNSSEC for key lifecycle
3. Monitor expiration: RRSIG signatures have validity periods
4. Test before deployment: Validate zone with tools like dnsviz.net
5. Plan for emergencies: Have key rollover procedures documented
DNSSEC provides essential protection for DNS integrity, ensuring users reach legitimate destinations rather than attacker-controlled servers.