DNS Security Extensions

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 7

DNS Security Extensions (DNSSEC)

overview
The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name
System (DNS) that authenticates responses to domain name lookups. It does not provide privacy
protections for those lookups, but prevents attackers from manipulating or poisoning the
responses to DNS requests.

To protect domains from spoofing and poisoning attacks, enable and configure DNSSEC in the
following places:

1. The DNS zone. If you enable DNSSEC for a zone, Cloud DNS automatically manages
the creation and rotation of DNSSEC keys (DNSKEY records) and the signing of zone
data with resource record digital signature (RRSIG) records.
2. The top-level domain (TLD) registry (for example.com, this would be .com). In your
TLD registry, you must have a DS record that authenticates a DNSKEY record in your
zone. Do this by activating DNSSEC at your domain registrar.
3. The DNS resolver. For full DNSSEC protection, you must use a DNS resolver that
validates signatures for DNSSEC-signed domains. You can enable validation for
individual systems or your local caching resolvers if you administer your network's DNS
services.

For more information about DNSSEC validation, see the following resources:

o Do you have DNSSEC validation enabled?


o Deploying DNSSEC with BIND and Ubuntu Server (Part 1)
o DNSSEC Guide: Chapter 3. Validation
o DNSSEC

You can also configure systems to use public resolvers that validate DNSSEC, notably
Google Public DNS and Verisign Public DNS.

The second point limits the domain names where DNSSEC can work. Both the registrar and
registry must support DNSSEC for the TLD that you are using. If you cannot add a DS record
through your domain registrar to activate DNSSEC, enabling DNSSEC in Cloud DNS has no
effect.

Before enabling DNSSEC, check the following resources:

 The DNSSEC documentation for both your domain registrar and TLD registry
 The Google Cloud community tutorial's domain registrar-specific instructions
 The ICANN list of domain registrar DNSSEC support to confirm DNSSEC support for
your domain.
If the TLD registry supports DNSSEC, but your registrar does not (or does not support it for that
TLD), you might be able to transfer your domains to a different registrar that does. After you
have completed that process, you can activate DNSSEC for the domain.

Management operations
For step-by-step instructions for managing DNSSEC, see the following resources:

 To change the DNSSEC state of the zone from Transfer to On, see Leaving DNSSEC
transfer state.
 To enable DNSSEC for delegated subdomains, see Delegating DNSSEC-signed
subdomains.

Record set types enhanced by DNSSEC


For more information about record set types and other record types, see the following resources:

 To control which public certificate authorities (CAs) can generate TLS or other
certificates for your domain, see CAA records.
 To enable opportunistic encryption through IPsec tunnels, see IPSECKEY records.

DNS record types with DNSSEC-secured zones


For more information about DNS record types and other record types, see the following
resource:

 To enable SSH client applications to validate SSH servers, see SSHFP records.

Migration or transfer of DNSSEC-enabled zones


Cloud DNS supports migrating DNSSEC-enabled zones where DNSSEC has been activated at
the domain registry without breaking the chain of trust. You can migrate zones to or from other
DNS operators that also support migration.

 To migrate a DNSSEC-signed zone to Cloud DNS, see Migrate DNSSEC-signed zones


to Cloud DNS.
 To migrate a DNSSEC-signed zone to another DNS operator, see Migrate DNSSEC-
signed zones from Cloud DNS.

If your existing domain is hosted by your registrar, we recommend migrating the name servers to
Cloud DNS before transferring to another registrar.
DNSSEC – What Is It and Why Is It
Important?
This page is available in:

 English

 ‫العربية‬
 Español
 Français
 Pусский
 中文

Interested in learning about Domain Name System Security Extensions (DNSSEC)? Click the
image below to explore our infographic, which describes what DNSSEC is and outlines the
benefits of deploying DNSSEC.

A brief description of how DNS works

To understand Domain Name System Security Extensions (DNSSEC), it helps to have a basic
understanding of the Domain Name System (DNS).

The proper functioning of the Internet is critically dependent on the DNS . Every web page
visited, every email sent, every picture retrieved from a social media: all those interactions use
the DNS to translate human-friendly domain names (such as icann.org) to the IP addresses (such
as 192.0.43.7 and 2001:500:88:200::7) needed by servers, routers, and other network devices to
route traffic across the Internet to the proper destination.
Using the Internet on any device starts with the DNS. For example, consider when a user enters a
web site name in a browser on their phone. The browser uses the stub resolver, which is part of
the device's operating system, to begin the process of translating the web site's domain name into
an Internet Protocol (IP) address. A stub resolver is a very simple DNS client that relays an
application's request for DNS data to a more complicated DNS client called a recursive resolver.
Many network operators run recursive resolvers to handle DNS requests, or queries, sent by
devices on their network. (Smaller operators and organizations sometimes use recursive resolvers
on other networks, including recursive resolvers operated as a service for the public, such as
Google Public DNS, OpenDNS, and Quad9.)

The recursive resolver tracks down, or resolves, the answer to the DNS query sent by the stub
resolver. This resolution process requires the recursive resolver to send its own DNS queries,
usually to multiple different authoritative name servers. The DNS data for every domain name is
stored on an authoritative name server somewhere on the Internet. DNS data for a domain is
called a zone. Some organizations operate their own name servers to publish their zones, but
usually organizations outsource this function to third parties. There are different types of
organizations that host DNS zones on behalf of others, including registrars, registries, web
hosting companies, network server providers, just to name a few.

DNS by itself is not secure

DNS was designed in the 1980s when the Internet was much smaller, and security was not a
primary consideration in its design. As a result, when a recursive resolver sends a query to an
authoritative name server, the resolver has no way to verify the authenticity of the response. The
resolver can only check that a response appears to come from the same IP address where the
resolver sent the original query. But relying on the source IP address of a response is not a strong
authentication mechanism, since the source IP address of a DNS response packet can be easily
forged, or spoofed. As DNS was originally designed, a resolver cannot easily detect a forged
response to one of its queries. An attacker can easily masquerade as the authoritative server that
a resolver originally queried by spoofing a response that appears to come from that authoritative
server. In other words an attacker can redirect a user to a potentially malicious site without the
user realizing it.

Recursive resolvers cache the DNS data they receive from authoritative name servers to speed up
the resolution process. If a stub resolver asks for DNS data that the recursive resolver has in its
cache, the recursive resolver can answer immediately without the delay introduced by first
querying one or more authoritative servers. This reliance on caching has a downside, however: if
an attacker sends a forged DNS response that is accepted by a recursive resolver, the attacker has
poisoned the cache of the recursive resolver. The resolver will then proceed to return the
fraudulent DNS data to other devices that query for it.

As an example of the threat posed by a cache-poisoning attack, consider what happens when a
user visits their bank's website. The user's device queries its configured recursive name server for
the bank web site's IP address. But an attacker could have poisoned the resolver with an IP
address that points not to the legitimate site but to a web site created by the attacker. This
fraudulent website impersonates the bank website and looks just the same. The unknowing user
would enter their name and password, as usual. Unfortunately, the user has inadvertently
provided its banking credentials to the attacker, who could then log in as that user at the
legitimate bank web site to transfer funds or take other unauthorized actions.

The DNS Security Extensions (DNSSEC)

Engineers in the Internet Engineering Task Force (IETF), the organization responsible for the
DNS protocol standards, long realized the lack of stronger authentication in DNS was a problem.
Work on a solution began in the 1990s and the result was the DNSSEC Security Extensions
(DNSSEC).

DNSSEC strengthens authentication in DNS using digital signatures based on public key
cryptography. With DNSSEC, it's not DNS queries and responses themselves that are
cryptographically signed, but rather DNS data itself is signed by the owner of the data.

Every DNS zone has a public/private key pair. The zone owner uses the zone's private key to
sign DNS data in the zone and generate digital signatures over that data. As the name "private
key" implies, this key material is kept secret by the zone owner. The zone's public key, however,
is published in the zone itself for anyone to retrieve. Any recursive resolver that looks up data in
the zone also retrieves the zone's public key, which it uses to validate the authenticity of the
DNS data. The resolver confirms that the digital signature over the DNS data it retrieved is valid.
If so, the DNS data is legitimate and is returned to the user. If the signature does not validate, the
resolver assumes an attack, discards the data, and returns an error to the user.

DNSSEC adds two important features to the DNS protocol:

 Data origin authentication allows a resolver to cryptographically verify that the data it received
actually came from the zone where it believes the data originated.
 Data integrity protection allows the resolver to know that the data hasn't been modified in
transit since it was originally signed by the zone owner with the zone's private key.

Trusting DNSSEC keys

Every zone publishes its public key, which a recursive resolver retrieves to validate data in the
zone. But how can a resolver ensure that a zone's public key itself is authentic? A zone's public
key is signed, just like the other data in the zone. However, the public key is not signed by the
zone's private key, but by the parent zone's private key. For example, the icann.org zone's public
key is signed by the org zone. Just as a DNS zone's parent is responsible for publishing a child
zone's list of authoritative name servers, a zone's parent is also responsible for vouching for the
authenticity of its child zone's public key. Every zone's public key is signed by its parent zone,
except for the root zone: it has no parent to sign its key.

The root zone's public key is therefore an important starting point for validating DNS data. If a
resolver trusts the root zone's public key, it can trust the public keys of top-level zones signed by
the root's private key, such as the public key for the org zone. And because the resolver can trust
the public key for the org zone, it can trust public keys that have been signed by their respective
private key, such as the public key for icann.org. (In actual practice, the parent zone doesn't sign
the child zone's key directly--the actual mechanism is more complicated--but the effect is the
same as if the parent had signed the child's key.)

The sequence of cryptographic keys signing other cryptographic keys is called a chain of trust.
The public key at the beginning of a chain of trust is a called a trust anchor. A resolver has a list
of trust anchors, which are public keys for different zones that the resolver trusts implicitly. Most
resolvers are configured with just one trust anchor: the public key for the root zone. By trusting
this key at the top of the DNS hierarchy, a resolve can build a chain of trust to any location in the
DNS name space, as long as every zone in the path is signed.

Validating and Signing with DNSSEC

In order for the Internet to have widespread security, DNSSEC needs to be widely deployed.
DNSSEC is not automatic: right now it needs to be specifically enabled by network operators at
their recursive resolvers and also by domain name owners at their zone's authoritative servers.
The operators of resolvers and of authoritative servers have different incentives to turn on
DNSSEC for their systems, but when they do, more users are assured of getting authenticated
answers to their DNS queries. Quite simply, a user can have assurance that they are going to end
up at their desired online destination.

Enabling DNSSEC validation in recursive resolvers is easy. In fact, it has been supported by
nearly all common resolvers for many years. Turning it on involves changing just a few lines in
the resolver's configuration file. From that point forward, when a user asks the resolver for DNS
information that comes from zones that are signed, and that data has been tampered with, the
user will (purposely) get no data back. DNSSEC protects the user from getting bad data from a
signed zone by detecting the attack and preventing the user from receiving the tampered data.

Signing zones with DNSSEC takes a few steps, but there are millions of zones that sign their
DNS information so that users of validating resolvers can be assured of getting good data.
Almost all common authoritative name server software supports signing zones, and many third-
party DNS hosting providers also support DNSSEC. Usually, enabling DNSSEC for a zone with
a hosting provider is quite easy: often it entails little more than clicking a check box.

For a zone owner to deploy DNSSEC by signing their zone's data, that zone's parent, and its
parent, all the way to the root zone, also need to be signed for DNSSEC to be as effective as
possible. A continuous chain of signed zones starting at the root zone allows a resolver to build a
chain of trust from the root zone to validate data. For example, to effectively deploy DNSSEC in
the icann.org zone, the org zone needs to be signed as well as the root zone. Fortunately, the
DNS root zone has been signed since 2010, and all gTLDs and many ccTLDs are also signed.

There is one more step to complete DNSSEC deployment in a zone: the newly signed zone's
public key material needs to be sent to the zone's parent. As described earlier, the parent zone
signs the child zone's public key, and allows a chain of trust to be built from parent to child.
Today the zone owner usually needs to communicate the zone's public key material to the parent
manually. In most cases, that communication happens through the zone owner's registrar. Just as
a zone owner interacts with its registrar to make other changes to a zone, such as the list of the
zone's authoritative name servers, the zone owner also interacts with the registrar to update the
zone's public key material. While this process is currently manual, recently developed protocols
are expected to allow this process to be automated in the future.

The next steps for DNSSEC

As DNSSEC deployment grows, the DNS can become a foundation for other protocols that
require a way to store data securely. New protocols have been developed that rely on DNSSEC
and thus only work in zones that are signed. For example, DNS-based Authentication of Named
Entities (DANE) allows the publication of Transport Layer Security (TLS) keys in zones for
applications such as mail transport. DANE provides a way to verify the authenticity of public
keys that does not rely on certificate authorities. New ways of adding privacy to DNS queries
will be able to use DANE in the future, as well.

In 2018, ICANN changed the trust anchor for the DNS root for the first time. Many lessons were
learned about DNSSEC during that process. Furthermore, many resolver operators became more
aware of DNSSEC and turned on validation, and the world got to more clearly see how the entire
DNSSEC system worked. In the coming years, ICANN hopes to see greater adoption of
DNSSEC, both by resolver operators and zone owners. This would mean that more users
everywhere could benefit from DNSSEC's strong cryptographic assurance that they are getting
authentic DNS answers to their queries.

You might also like