DNSSEC Part I: the Concepts

Like IPv6, DNSSEC is one of those great forward-looking protocols that unfortunately hasn't seen wide adoption yet. Before I implemented it myself, I could see why. Although some people think BIND itself is difficult to set up, DNSSEC adds an extra layer of keys, key management and a slew of additional DNS records. One day I decided to set up DNSSEC on a personal zone to familiarize myself with the concepts and process, and it turns out that the implementation isn't all that bad once you grasp a few concepts. In this article, I cover some of the general concepts, and in my next article, I'll describe the steps for using DNSSEC on your own zone.

How DNS Works

It can be difficult to understand how DNSSEC works if you don't completely grasp how DNS itself works. Really, I could spend a whole article just talking about how DNS works, but for the purposes of this article, here's a very high-level trace of a typical uncached DNS query that resolves a domain of mine: www.greenfly.org. When you type a URL in a Web browser and press Enter, behind the scenes, the OS starts a process to convert that hostname into an IP address. Although some people run DNS caching services on their personal computers, for the most part, you rely on an external DNS server you've either configured by hand or via DHCP. When your OS needs to convert a hostname into an IP, it sends a DNS query to a name server defined in /etc/resolv.conf (these days, if this file is managed by resolvconf, the real name servers can be trickier to track down). This starts what's known as a recursive query, as this remote DNS server acts on your behalf to talk to any other DNS servers it needs to contact to resolve your hostname to an IP.

In the case of resolving www.greenfly.org, the recursive DNS server starts by sending a query to one of the 13 root DNS servers on the Internet (, asking for the IP for www.greenfly.org. The root name servers reply that they don't know that information, but the name servers for .org might know, and here are their names and IP addresses. Next, the recursive DNS server sends a query to one of the .org name servers (, asking the same question. The .org name server replies that it also doesn't know the answer, but the name servers for greenfly.org might know, and here are their names and IP addresses. Finally, the recursive DNS server asks one of the greenfly.org name servers ( and gets back the answer that www.greenfly.org is at

If you are curious how this might work for a domain you own, just use the dig command with the +trace option. Here's example output for www.greenfly.org:

$ dig www.greenfly.org +trace

; <<>> DiG 9.8.1-P1 <<>> www.greenfly.org +trace
;; global options: +cmd
.                    498369  IN   NS    j.root-servers.net.
.                    498369  IN   NS    k.root-servers.net.
.                    498369  IN   NS    e.root-servers.net.
.                    498369  IN   NS    m.root-servers.net.
.                    498369  IN   NS    c.root-servers.net.
.                    498369  IN   NS    d.root-servers.net.
.                    498369  IN   NS    l.root-servers.net.
.                    498369  IN   NS    a.root-servers.net.
.                    498369  IN   NS    h.root-servers.net.
.                    498369  IN   NS    i.root-servers.net.
.                    498369  IN   NS    g.root-servers.net.
.                    498369  IN   NS    b.root-servers.net.
.                    498369  IN   NS    f.root-servers.net.
;; Received 436 bytes from in 60 ms

org.                 172800  IN   NS    b2.org.afilias-nst.org.
org.                 172800  IN   NS    b0.org.afilias-nst.org.
org.                 172800  IN   NS    c0.org.afilias-nst.info.
org.                 172800  IN   NS    a0.org.afilias-nst.info.
org.                 172800  IN   NS    d0.org.afilias-nst.org.
org.                 172800  IN   NS    a2.org.afilias-nst.info.
;; Received 436 bytes from in 129 ms

greenfly.org.        86400   IN   NS    ns2.greenfly.org.
greenfly.org.        86400   IN   NS    ns1.greenfly.org.
;; Received 102 bytes from in 195 ms

www.greenfly.org.    900     IN   A
greenfly.org.        900     IN   NS    ns1.greenfly.org.
greenfly.org.        900     IN   NS    ns2.greenfly.org.
;; Received 118 bytes from in 2 ms

Although this may seem like a lot of steps, in practice, name servers cache answers for a period of time known as the TTL, or Time To Live, that's assigned to every record. That way, a DNS resolver has to look up only any records that have expired.

DNS Security Issues

DNS has been around for quite a while, and it has had its share of security issues over time. DNS is designed to be an open, friendly service. Although some administrators might treat DNS records as secrets, generally speaking, a DNS record's purpose is to be looked up by anyone who requests it, so DNS records are not encrypted, and DNS queries generally occur over plain text. Here are a few DNS security issues facing us today:

  • Domain names sometimes look alike (google.com vs. googIe.com), which an attacker can take advantage of to encourage you to click on a legitimate-looking link.

  • Companies can't always register their name on all TLDs (.com vs. .biz vs. .net), so an attacker might register mybank.biz, which a victim may think is legitimate.

  • Many DNS servers (known as open resolvers) will perform recursive queries for anyone who asks.

  • Open resolvers commonly are used in modern DNS amplification DDOS attacks (an attack where a relatively small DNS query results in an orders of magnitude larger response that, due to DNS queries occurring over UDP, can be redirected to a different target than the host who initiated the request). With a DNS amplification attack, it takes much less bandwidth from an attacking machine to generate large amounts of traffic for a target.

  • DNS is subject to MitM (Man in the Middle) attacks where DNS records can be rewritten before they get back to the victim. This lets an attacker, for instance, change the IP of yourbank.com in a DNS request to point to the Web site the attacker controls instead.

  • DNS spoofing/cache poisoning attacks (this class of attacks was covered by a series of Paranoid Penguin columns in 2011) essentially allow an attacker to inject fake DNS records into a DNS resolver's cache to point victims, again, at an attacker's site instead of the site they intend to visit.

Of all of these different DNS security issues, DNSSEC attempts to address the last two, MitM attacks and DNS cache poisoning, by signing every DNS reply with a signature, much like a PGP signature in an e-mail. The DNSSEC signature verifies that the DNS result you see came from the authoritative DNS server for that domain and that it wasn't tampered with in any way in transit.

How DNSSEC Works

If you are somewhat familiar with the CA (Certificate Authority) system or with how public-key cryptography works with PGP-signed e-mails, understanding DNSSEC will be a bit simpler, as it has some similarities. With DNSSEC, a domain creates a set of public and private keys that it uses to sign every record set in its zone. The domain then publishes the public keys in the zone as a record of its own along with the signatures. With these public keys and signatures, anyone performing a DNS query against that domain can use the public key to validate the signature for a particular record. Because only someone with the private key could sign the record, you can be assured the result was signed by someone who controls the domain. If someone tampered with the record along the way, the signature no longer would match.

Like with PGP-signed e-mail, having cryptographic signatures attached to a document isn't a sufficient reason to trust the document. After all, attackers simply could generate a different key pair, change the record and attach their public key and updated signature instead. With DNSSEC, you need an outside mechanism to know you can trust that the public key you are getting truly came from the domain. With PGP-signed e-mail, you validate the public key with outside mechanisms, such as key-signing parties, with the hope that if you receive an e-mail from someone for which you don't immediately have a public key signature, someone you already trust does, and you can use that chain of trust to validate the signature. I don't know of any DNSSEC key-signing parties; instead, the chain of trust is built much like how it is with the CA system.

When you visit a site that's protected by HTTPS, the site will present you with a copy of its public key (here called a certificate), so you can establish a secure, encrypted communication channel with the site, but equally important, you also can validate that you are in fact communicating with, for instance, mail.google.com and not some attacker. Because you probably didn't go to a Google key-signing party either, how can you trust that certificate? It turns out that each certificate is signed by a CA like Verisign, Thawte or a large number of others. This signature is attached to the certificate you receive, and your browser itself has public keys for each of the CAs built in to it. The browser implicitly trusts these CA certificates, so if you receive a certificate from a site that has been signed by any of these CAs, you will trust it as valid. This trust, by the way, is why it is such a problem when a CA gets hacked. Attackers then can use the private keys from that CA to generate new certificates for any site they want to impersonate and browsers will trust them automatically.


Kyle Rankin is VP of engineering operations at Final, Inc., the author of many books including Linux Hardening in Hostile Networks, DevOps Troubleshooting and The Official Ubuntu Server Book, and a columnist for Linux Journal. Follow him @kylerankin