Author admin

What if a query is made for records that do not exist? An unsecured DNS server returns the Start of zone of Authority (SOA) record of the enclosing zone, along with an error code indicating the specific error that occurred. This provides the opportunity for a “replay attack,” which repeats […]

The primary name server for a zone creates the RRSIG records for each set of records in the zone, as well as the NSEC records for each name. Software known as a “zone signer” signs the data for each zone. The signer reads in all zone data, and organizes the […]

DNSSEC RRs are large – significantly larger than the basic DNS RRs (A, PTR, NS, MX and SOA). An A RR is + 14 octets; however a typical DNSKEY or RRSIG RR is larger than the key size, which will likely typically be 1024 octets. Every RR in a DNSSEC-secured […]

A key pair contains two digital keys – a private key (held by the signer of the zone, which is usually the DNS Operator) and a public key (distributed to the public through the DNS). The zone is signed by using the private/public key pair. End users’ validators (or the […]

A key rollover occurs whenever it is necessary to change the private key used to sign a zone or the public key used to validate a zone. This can occur for planned or unplanned reasons. Planned rollovers occur as an ordinary part of key management procedures, similar to changing a […]

As with any other application of cryptography, the keys can become compromised over time. As computers get faster, cryptanalysis becomes more effective. The host possessing the key may be compromised so that the key can be freely obtained. Changing keys periodically can help prevent keys from being compromised. Furthermore, using […]

DNSSEC uses several mathematical formulas (cryptography) to “sign” a zone. They are subject to cryptanalysis. It is therefore possible for an attacker to learn the private key in a key pair even though that key has never been disclosed, either through “brute force” or other types of attacks. Every attack […]

Under ordinary circumstances key rollovers are not visible to end-users. The transition from one key to another is handled automatically by the DNS and validating resolvers, as long as the actual zone signer properly manages the key pairs and enters the changing keys in to the DNS as needed.

Within the context of DNS, security only refers to authentication, not confidentiality. DNSSEC extends DNS so that resolvers can receive provably correct information. DNS itself (the protocol, not necessarily all implementations) has no way of hiding data – a query can originate from any host, and any host will receive […]