Episode 3

Key-Signing Who?

Key-signing keys are here to ensure that the DNSKEY can be trusted.

**Key-signing keys** are here to ensure that the DNSKEY can be trusted.

Key-signing keys validates the DNSKEY record in the same way the zone-signing keys secured the RRsets.

Key-signing keys validates the DNSKEY record in the same way the zone-signing keys secured the RRsets.

Here’s what we have so far:

Here's what we have so far:

Records are bundled in RRsets and signed by zone-signing keys. The public portion of that key is stored in a DNSKEY record.

Records are bundled in RRsets and signed by zone-signing keys. The public portion of that key is stored in a DNSKEY record.

That DNSKEY record is now signed with a key-signing key creating an additional RRSIG record.

That DNSKEY record is now signed with a key-signing key creating an additional RRSIG record.

The public portion of the key-signing key is stored in another DNSKEY record.

The public portion of the key-signing key is stored in another DNSKEY record.

The 2 DNSKEY records are bundled in an RRset that is signed by the private key of the key-signing key.

The 2 DNSKEY records are bundled in an RRset that is signed by the private key of the key-signing key.

Now, when the DNS resolver asks for the DNSKEY, they’re going to get an RRset of DNSKEY records along with an RRSIG.

Now, when the DNS resolver asks for the DNSKEY, they're going to get an RRset of DNSKEY records along with an RRSIG.

The process is now as follows…

The process is now as follows...

The resolver asks the authoritative name server for the A records for www.dnsimple.com.

www.dnsimple.com A record please?

The resolver asks the authoritative name server for the A records for www.dnsimple.com.

The authoritative server returns the RRset containing the A records along with an RRSIG that contains the signature of the zone-signing key.

The authoritative server returns the RRset containing the A records along with an RRSIG that contains the signature of the zone-signing key.

The resolver queries the authoritative server again for the DNSKEY to validate the signature in the RRSIG record.

DNSKEY, please?

The resolver queries the authoritative server again for the DNSKEY to validate the signature in the RRSIG record.

The authoritative server returns an RRset containing the DNSKEY for the zone-signing and key-signing keys along with an RRSIG record.

The authoritative server returns an RRset containing the DNSKEY for the zone-signing and key-signing keys along with an RRSIG record.

The resolver now has all the information to validate the DNS query.

The resolver now has all the information to validate the DNS query.

It verifies the RRSIG for the A records in the RRset with the DNSKEY created by the zone-signing key.

It verifies the RRSIG for the A records in the RRset with the DNSKEY created by the zone-signing key.

If this is valid, it verifies the RRSIG for the DNSKEY RRset with the DNSKEY created by the key-signing key.

If this is valid, it verifies the RRSIG for the DNSKEY RRset with the DNSKEY created by the key-signing key.

When all of this is done, the resolver is sure it can trust the values for the A records returned by the authoritative server.

When all of this is done, the resolver is sure it can trust the values for the A records returned by the authoritative server.

This is all great, but now we’re now facing more issues.

This is all great, but now we're now facing more issues.
DNS is hierarchical. Trusting one zone doesn't mean we can trust the parent or the child zone.
DNS is hierarchical. Trusting one zone doesn't mean we can trust the parent or the child zone.

We know we can trust the A records on www.dnsimple.com, but what about the parent and children?

We know we can trust the A records on www.dnsimple.com, but what about the parent and children?

The key-signing key is signed by itself. What if it was compromised?

The key-signing key is signed by itself. What if it was compromised?
Continue reading →