Episode 4
Trust the hierarchy
We mentioned that DNS is hierarchical.
When a resolver needs to query the A records for dnsimple.com, it needs first to ask the root where to find the .com servers.
Then the .com servers will point the resolver to the authoritative name servers for dnsimple.com
Finally, the authoritative server will respond with the IP address for the A records for dnsimple.com.
All of this is based on a chain of trust.
In each iteration with another server, the resolver trusts that he’s being redirected from a trusted parent to a trusted child.
In the DNSSEC word, this is accomplished by a new record type called delegation signer (DS)
The DS record is generated on the child zone and given to the parent zone.
The DS record contains the public portion of the key-signing stored in the DNSKEY record hashed by your DNS provider.
This DS record needs to be present at the parent zone.
When the DNS resolver queries the child zone, the parent zone gives the resolver the DS record.
This serves 2 purposes:
First, the resolver is now aware that the child zone is configured with DNSSEC.
Second, the resolver can check that the unencrypted DS record on the parent zone matches the DNSKEY on the child zone.
The resolver re-hashes the child’s DNSKEY and compares that output to the DS record
If they don’t match, then the resolver knows that the zone has been tampered with.
If they match, the resolver now can trust dnsimple.com
We know now that we can trust dnsimple. But what about .com and the root?