To validate the authenticity of the DNS data, DNSSEC introduces a small number of new DNS record types.
The RR in RRsets stands for resource records. A fancy way to say 'records of the same type and name' for a zone or domain.
RRsets bundle all records of the same type and name into a group that is digitally signed.
In the physical world, humans use signatures to bind the identity and authenticity of a message.
The authoritative server signs each RRset with a zone-signing key pair.
We’ll be talking about more keys later, so remember these keys are used produce and verify a signature on the zone records.
Every zone-signing key has a private and public key pair. This is the base of asymmetric cryptography.
Private and public keys work together. Data encrypted with the private key can be decrypted or validated with the public key.
The public key can be shared with anyone. It’s public, and available for everyone.
Private keys are...you guessed it, private and shouldn’t be shared.
Together these two keys provide two important features!
1. Verify that the content comes from the right source.
These keys aren't used to encrypt the entire content of the records. Instead, a digital signature is produced by taking a portion of the RRSet, hashing it and encrypting it.
The hashing process is not only relevant for validation purposes.
This is important because we want to keep the DNS protocol small and lightweight.
The signatures are stored in a DNS record called RRSIG (Resource Record Signature).
And the public key to decrypt that RRSIG record is stored in a new DNS record type called DNSKEY.
Here’s how it happens...
Some content from the RRset is hashed through a hashing algorithm.
The result is encrypted with the private section of the zone-signing key creating a RRSIG record.
Then the authoritative server sends the RRset and the RRSIG to the resolver.
The resolver takes the RRSet and hashes again, just like the authoritative server did with the same algorithm.
The resolver decrypts the signature record with the public portion of the zone-signing key into a hash.
If both hashes match, then the resolver knows that the response is coming from the expected source and that it hasn't been tampered with.
A resolver that doesn't support DNSSEC or is missing the algorithm to support the hashing steps would ignore the signature coming back with the record.
The authoritative server returns both the A record in a RRset and the RRSIG record.
The resolver then asks for the DNSKEY record to validate that the requested record is valid and coming from a trusted source.
The resolver validates the response through the RRset, the RRSIG, and the DNSKEY.
But what if the DNSKEY was compromised?
You've reached the end. This sucks, we know. We're working hard to create more episodes.
But I feel you. This is totally unacceptable, and you should totally go Karen on us.