🛡️ Day 12: DNSSEC
Domain Name System Security Extensions (DNSSEC) is a security system created to add digital signatures to DNS entries. It ensures that the "phone book of the internet" cannot be forged by hackers. 🛡️
What is DNSSEC?
How does it work?
To understand DNSSEC, think of Wax Seals used on ancient royal letters.
When you search for a website, a DNS request is made to find the IP address of that domain.
- Example:
example.com→10.10.10.10
An attacker might try to alter this mapping to send you to a fake site:
- Attack:
example.com→2.2.2.2(A malicious server)
To prevent this, DNSSEC uses Asymmetric Encryption. Every domain owner has a Private Key (kept secret) and a Public Key (shared with everyone). The DNS mapping is signed using that Private Key to create a digital signature called an RRSIG (Resource Record Signature).
DNS Replies: Before vs. After DNSSEC
| Before DNSSEC (Unsecured) | After DNSSEC (Secured) |
|---|---|
example.com → 10.10.10.10 |
example.com → 10.10.10.10 |
RRSIG (Signature): AB23JKD432K |
The Authentication Process
In a modern secure DNS reply, the information is "wax sealed."
- The Stamp: The Private Key is the secret "stamp" held by the domain owner.
- The Public Key: The DNSKEY (Public Key) is sent along with the DNS reply.
- The Algorithm: A code is included to tell the computer which mathematical "recipe" (like RSA) was used.
- The Verification: The computer takes the IP Address + the DNSKEY and performs the algorithm.
- The Match: The result is compared to the RRSIG.
- If it matches: The reply is valid and the website opens.
- If it doesn't match: The reply is discarded as a fake.
How does the computer know the DNSKEY is real?
A hacker could send a fake Public Key, too. To prevent this, the computer uses a system called the Chain of Trust.
The Three Phases of the Chain:
- Phase 1: The DNSKEY (The Employee)
Every DNS reply (e.g., forgoogle.com) carries its own DNSKEY. The Recursive Server (the validator) asks: "How do I know this key is real?" The reply says: "Don't ask me, ask my parent!" - Phase 2: The DS Record (The Manager)
The Recursive Server then asks the "Parent" ofgoogle.com, which is the manager of the.comextension. This manager holds a DS Record (Delegation Signer). The Manager says: "I guarantee this key is real; I am the manager of the .com realm." - Phase 3: The Root (The CEO)
The Recursive Server then goes to the "Big Boss" of the entire internet: The Root. The Root replies: "I am the CEO. I vouch for the .com manager. If I say trust them, trust them."
The Conclusion: The Chain stops at the Root (managed by ICANN). Because your computer already has the Root's "ID badge" saved in its memory, it trusts the CEO, who trusts the Manager, who trusts the Website. This complete link is the Chain of Trust.