Episode 5

Human DNS

As we walk up through the hierarchy of child to parent zones to find out if the DS record is trusted, we’ll end up at the top of the hierarchy where no computers are allowed.

As we walk up through the hierarchy of child to parent zones to find out if the DS record is trusted, we'll end up at the top of the hierarchy where no computers are allowed.

The root zone is the last parent with a DS record.

The root zone is the last parent with a DS record.

The DNSKEY record created by the key-signing key on the root zone is self verified. But who established trust in this record?

The DNSKEY record created by the key-signing key on the root zone is self verified. But who established trust in this record?

HUMANS!

HUMANS!

The root signing ceremony is an event where humans come together to celebrate the rotation of the top DNSKEY key and sign it.

The root signing ceremony is an event where humans come together to celebrate the rotation of the top DNSKEY key and sign it.

It happens 4 times a year.

It happens 4 times a year.

All of this is done in a secure location, with a high degree of scrutiny by auditing firms.

All of this is done in a secure location, with a high degree of scrutiny by auditing firms.

Humans participating in the ceremony can only perform a few actions ensuring that even if there was a group of evil-doers, they would not be able to compromise the event.

Humans participating in the ceremony can only perform a few actions ensuring that even if there was a group of evil-doers, they would not be able to compromise the event.

The result of that ceremony is a new RRSIG record that can be used to verify the DNSKEY at the root.

The result of that ceremony is a new RRSIG record that can be used to verify the DNSKEY at the root.

Let’s walk through the chain of trust together, starting at the root.

Let's walk through the chain of trust together, starting at the root.

When you browse to dnsimple.com, the DNS resolver will ask the root for the location of the .com server.

When you browse to dnsimple.com, the DNS resolver will ask the root for the location of the .com server.

The DNS resolver will assume that the DNSKEY for the key-signing key at the root is trusted because it has been generated by humans.

The DNS resolver will assume that the DNSKEY for the key-signing key at the root is trusted because it has been generated by humans.

Now that we trust the root zone’s key (thanks, mysterious humans in the root-signing ceremony!), we can verify .com, then dnsimple.com, and finally www.dnsimple.com

Now that we trust the root zone's key (thanks, mysterious humans in the root-signing ceremony!), we can verify .com, then dnsimple.com, and finally www.dnsimple.com

If any link in the chain fails, like if a DS record doesn’t match the DNSKEY, DNSSEC alerts the resolver.

If any link in the chain fails, like if a DS record doesn't match the DNSKEY, DNSSEC alerts the resolver.

The resolver then refuses to pass along the untrusted answer to your device.

The resolver then refuses to pass along the untrusted answer to your device.

It’s basically a big ‘Access Denied!’ sign to malicious crabs, tampered data, or incompetent villain hackers.

It's basically a big 'Access Denied!' sign to malicious crabs, tampered data, or incompetent villain hackers.

So that’s DNSSEC in a nutshell

So that's DNSSEC in a nutshell

Zone-signing keys sign the data.

Zone-signing keys sign the data.
Key-signing keys sign the zone-signing keys.
Key-signing keys sign the zone-signing keys.

DS records in the parent zone attest to a child zone’s authenticity.

DS records in the parent zone attest to a child zone's authenticity.

The root zone is validated by real-world humans, ensuring the entire DNS tree is anchored in trust.

The root zone is validated by real-world humans, ensuring the entire DNS tree is anchored in trust.

Now that you’ve seen how it all works, go forth and secure your domains with DNSSEC!

Now that you've seen how it all works, go forth and secure your domains with DNSSEC!

The DNS world will be a safer place, no matter how many crabs try to tamper with your traffic!

The DNS world will be a safer place, no matter how many crabs try to tamper with your traffic!