DNSSEC - HackMD

# DNSSEC [TOC] ## What is DNSSEC - **Domain Name System Security Extensions** - Reasons we need it - Hackers may attack the DNS server and - DNSSEC provides 1. data integrity 2. origin authentication of DNS data 3. authenticated denial of existence - Use both **hash function** and **Asymmetric encryption** > 常見之 hash function: RSA-MD2(also MD4,MD5) and NIST-SHA :::info - 數位簽章 **Digital Signature** - Source A 將資料用 hash function 產生 hash value，並將此 hash value 用私鑰加密產生 Digital Signature，附在資料後面傳至 Destination B。 - Destination B 用 Source 端之公鑰將附在資料後面的簽章解密後取得之 hash value 需與自己這邊將資料(以同樣的hash function)產生之 hash value 進行比對。 > B 以公鑰解密私鑰加密之內容可確保**資料來源是 A** > 比對兩方產生之 hash value 可確保**資料未遭竄改** ::: ### Data integrity - 完整性 - 資料未被竄改 - 資料確實由負責該 Domain 之 DNS Server 提供 - 利用 Digital Signature 技術製作簽章，用 **DNSKEY**(公鑰) 與 **RRSIG**(Resource Record Signature) 驗證 **RR**(Resource Record) 完整性。 #### RR - Resource Record - In DNS server, each domain name has its own **zone file**, which consists of several resource records. - Each RR will have its own signature(**RRSIG**). - Different operations in DNS used different kinds of RR. > eg. 設定名稱解析、反向解析或其他管理目的 ### Origin Authentication of data - 來源**可驗證性** --> 驗證該 DNS Server 真實性 - DNS Server 必須將自己的 Public Key (DNSKEY) 做一次 Digital Signature 後放在 **Parent Zone Server** (即公正的第三方) > 在個人的數位簽章中，通常需將個人的 Public Key 交由公正的第三方加以驗證，也就是這把 Public Key 確實代表個人 - 由 Parent Zone 中的 **DS**(Delegation Signer) 紀錄 Child Zone 之 DNSKEY 確實是正確且未經竄改。 - Like a tree structure, we only have to trust the **root zone** of all the DNS parent/child zone, because the upper zone will authenticate the lower one. - ![](https://i.imgur.com/tZAJk2R.png) ### Authenticated denial of existence - **可驗證之不存在性** --> The **unknown host** to which the system responds is **truly inexistent**. - **NSEC** - 將所有 DNS 紀錄依照字母排序，而在每個網址間加上一筆 NSEC record 並做 Digital Signature - When the "unknown host" responded, the client will get NSEC records in order to authenticate the denial of existence. ## Weakness of DNSSEC - **Confidentiality** - Although the RR and RRSIG cannot be tampered, it can still be **readable** because they are unencrypted. - **Availability** - The service still cannot protect itself from **DDoS attacks**. ## Reference ### Official - [Wikipedia - Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) - [RFC 4033 - DNS Security Introduction and Requirements](https://datatracker.ietf.org/doc/html/rfc4033) - [RFC 4034 - Resource Records for the DNS Security Extensions](https://datatracker.ietf.org/doc/html/rfc4034) - [RFC 4035 - Protocol Modifications for the DNS Security Extensions](https://datatracker.ietf.org/doc/html/rfc4035) ### Article - [NTU - DNSSEC安全技術簡介](https://www.cc.ntu.edu.tw/chinese/epaper/0022/20120920_2206.html) - [簡介 DNSSEC](https://www.lijyyh.com/2012/07/dnssec-introduction-to-dnssec.html) - [DNS資源紀錄(Resource Record)介紹](http://dns-learning.twnic.net.tw/bind/intro6.html)