Episode 4

Trust the hierarchy

We mentioned that DNS is hierarchical.

We mentioned that DNS is hierarchical.

When a resolver needs to query the A records for dnsimple.com, it needs to first ask the root where to find the .com servers.

* A character from the comic HowDNS.works
When a resolver needs to query the A records for dnsimple.com, it needs to first ask the root where to find the .com servers.

Then the .com servers will point the resolver to the authoritative name servers for dnsimple.com

* Another character from the comic HowDNS.works
Then the .com servers will point the resolver to the authoritative name servers for dnsimple.com

Finally, the authoritative server will respond with the IP address for the A records for dnsimple.com.

* Yet another character from the comic HowDNS.works, but you knew that already.
Finally, the authoritative server will respond with the IP address for the A records for dnsimple.com.

All of this is based on a chain of trust.

All of this is based on a **chain of trust**.

In each iteration with another server, the resolver trusts that it’s being redirected from a trusted parent to a trusted child.

In each iteration with another server, the resolver trusts that it's being redirected from a trusted parent to a trusted child.

In the DNSSEC world, this is accomplished by a new record type called a delegation signer (DS)

In the DNSSEC world, this is accomplished by a new record type called a **delegation signer** (DS)

The DS record is generated on the child zone and given to the parent zone.

The DS record is generated on the child zone and given to the parent zone.

The DS record contains the public portion of the key-signing stored in the DNSKEY record hashed by your DNS provider.

The DS record contains the public portion of the key-signing stored in the DNSKEY record hashed by your DNS provider.

This DS record needs to be present at the parent zone.

This DS record needs to be present at the parent zone.

When the DNS resolver queries the child zone, the parent zone gives the resolver the DS record.

When the DNS resolver queries the child zone, the parent zone gives the resolver the DS record.

This serves 2 purposes:

This serves 2 purposes:

First, the resolver is now aware that the child zone is configured with DNSSEC.

First, the resolver is now aware that the child zone is configured with DNSSEC.

Second, the resolver can check that the unencrypted DS record on the parent zone matches the DNSKEY on the child zone.

Second, the resolver can check that the unencrypted DS record on the parent zone matches the DNSKEY on the child zone.

The resolver re-hashes the child’s DNSKEY and compares that output to the DS record

The resolver re-hashes the child's DNSKEY and compares that output to the DS record

If they don’t match, the resolver knows the zone has been tampered with.

If they don't match, the resolver knows the zone has been tampered with.

If they match, the resolver now can trust dnsimple.com

If they match, the resolver now can trust dnsimple.com

We now know that we can trust DNSimple. But what about .com and the root?

We now know that we can trust DNSimple. But what about .com and the root?
Continue reading →