Blog Feed Post

An Introduction to DNSSEC

DNS is a fundamental building block of the Internet. Its responsibility is to locate and translate domain names to its corresponding Internet Protocol Addresses (IPv4 and IPv6). Changes and adaptations in the industry have occurred over time; more top-level domains, registries, and registrars have come into existence, mankind witnessed the “Dot-Com” bubble, and the Internet was adopted by more and more people. Despite all these events, the fundamental theory that governed the translation of a domain to an IP address remained valid and largely unchanged.

The Domain Name System was not primarily designed with security in mind. It was designed to be a scalable, public database which did not restrict access to its data. This exposed a lot of vulnerabilities in the system and led to multiple exploits.

The past few years witnessed an unprecedented increase in the number of DNS related exploits (spoofing, cache poisoning, DNS hijacking). This led to the development of security extensions for DNS called Domain Name System Security Extensions (DNSSEC).

DNS Vulnerabilities & Attacks

Most of the vulnerabilities and exploits are a result of the way DNS as a protocol has been implemented.

  • DNS Cache Poisoning: Cache poisoning is an attack form that leads to the DNS servers caching false information regarding the Domain-IP mapping; the users are redirected to websites that they did not intend to visit. The poisoned cache information can spread from one server to another and this makes Cache poisoning extremely dangerous. DNS is a distributed system of servers; it does not depend on a single server alone to respond to incoming DNS queries. Caching in DNS happens at multiple levels:
    • Our Local machines
    • Routers
    • ISPs
    • Nameservers for a Domain
    • gTLD Servers

Now, what happens if an attacker gains access to one of the servers in the DNS system and changes the information on that server?

The poisoned entry is propagated across servers and may end up getting cached on the end user’s device.

The issue is not hypothetical. In the recent past, there have been multiple real instances. One such incident happened in 2010 when an ISP outside China configured its DNS Servers to fetch information from DNS Servers located in China. “The Great Firewall”  of China is known for using Cache poisoning (poisoning its own cache) to redirect users of some websites to incorrect IP addresses. In this case, the ISP cached the response it received from a server in China which was later cached by other servers.

The poisoned cache spread from system to system and ended up blocking access to websites like Facebook, Google, and Twitter for some users in the US and Chile.

  • DNS Hijacking: In DNS Hijacking, unlike cache poisoning, the DNS Cache is not altered. Hijackers update the DNS settings for a domain name to point to their own IPs. Once the DNS settings have been updated, the hijacker can redirect the users to his websites. This may also be used for phishing attacks or for making money by redirecting users to the websites which the hijacker wants them to visit.

DNS Hijacking and Cache poisoning/spoofing are two of the most commonly used forms of DNS attacks. There are attacks such as DDoS (Direct Denial of Service) and Amplification attacks which also exist.

Now we all know that DNS was not built with security in mind. We also know that it does not verify any credentials before accepting an answer. So, how do we make DNS more secure and robust with all these vulnerabilities and exploits around?

One of the most important steps that was taken to make DNS secure was the introduction of DNSSEC. In the sections below, we will read more about it and how it works.


DNSSEC (Domain Name System Security Extensions) adds security to the Domain Name System by enabling the validation of DNS Responses. Correct implementation of DNSSEC makes DNS less vulnerable to a very common type of attack called DNS Spoofing.

DNSSEC uses public key cryptography to digitally sign the DNS records at the authoritative DNS server. Digital signing ensures that the DNS response originated from the stated source and allows us to validate the origin of the DNS record. It guarantees that we, the users of the system, get the correct IP address associated with a Domain name. It adds cryptographic signatures to the existing DNS resource records at the Authoritative DNS Servers.

DNSSEC as a protocol is not encrypted. The keys are used to sign the records and build a chain of trust. However, the packets are not encrypted as DNSSEC does not provide encryption.

DNSSEC works by establishing a chain of trust. This chain starts at the root “.” name servers. A copy of the root’s public key is held by DNSSEC enabled recursive nameservers. The Root servers form a trust with the TLD (Top Level Domain) servers and the TLD servers form a trust with the Authoritative servers of the Domain name.

The following Resource Records were introduced to aid signature validation under DNSSEC:

  • RRSIG: Resource Record Signature -> The RRSIG record contains the signed Record. When querying a domain name for the A record on a signed zone, the A record is returned along with the RRSIG record. The RRSIG record contains the copy of signature used to verify it.

http://blog.catchpoint.com/wp-content/uploads/2017/10/dnssec1-300x143.png 300w, http://blog.catchpoint.com/wp-content/uploads/2017/10/dnssec1-768x366.png 768w" sizes="(max-width: 863px) 100vw, 863px" />

  • DNSKEY: DNS Public Key -> DNSKEY is a record that holds the public key used to sign a Record or a DNS Zone. DNSKEY are of 2 types:
    • Zone Signing Key (ZSK): It is used to sign records in a DNS Zone.
    • Key Signing Key (KSK): It is used to sign the Zone Signing Key (ZSK) and create a chain of trust with its upper level.
  • DS: Delegation Signer -> A DS record is present in the Parent Zone and it is used to verify the results returned when querying the Child Zone. For example, for the domain name: example.com, the DS record will be present in the .COM Zone.
  • NSEC/NSEC3: Next Secure -> NSEC and NSEC3 are used for securely handling NXDOMAINS or Non-Existent Domain names in DNS. They are used to provide a signed response with a NXDOMAIN response stating there is no record.

DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets (RRsets). The public keys are stored in DNSKEY resource records and are used in the DNSSEC authentication process. A zone signs its authoritative RRsets by using a private key and stores the corresponding public key in a DNSKEY Resource Record. A resolver can then use the public key to validate signatures covering the RRsets in the zone, and thus to authenticate them.

Requirements for DNSSEC Implementation

  • For DNSSEC implementation, the domain’s parent zone and the parent’s parent zone, all the way up to the ROOT must support DNSSEC. Currently, out of the 1531 TLDs in the ROOT zone, 1386 are signed.

http://blog.catchpoint.com/wp-content/uploads/2017/10/dnssec2-300x187.jpg 300w" sizes="(max-width: 380px) 100vw, 380px" />

  • The Domain Name’s Registrar must allow uploading the DS records to the parent zone.
  • The Domain’s Hosting provider must support DNSSEC and the Management interface provided must allow adding DNSKEY, RRSIG, DNSSEC and other DNSSEC related records.

How DNSSEC Works?

DNS Zones can be secured with DNSSEC using a process called “Zone Signing.” For this, DNSSEC should be supported by the Authoritative Nameserver as well as the local resolver which in most of the cases belongs to the ISP.

  • When a Zone is DNSSEC signed, the zone’s creator generates a key-value pair. This key-value pair lays the foundation of Public key encryption or asymmetrical encryption. DNS Responses are validated using these digital signatures which are included with DNS Responses. In public key encryption, the private key encrypts the message whereas the public key can be used to decrypt the message. In the Domain Namespace, the DNSKEY record present in the Zone file contains the public key.
  • The Resource Records (A, CNAME, AAAA etc.) are digitally signed using the RRSIG record every single time there is an update to the Zone.

http://blog.catchpoint.com/wp-content/uploads/2017/10/dnssec3-300x209.png 300w, http://blog.catchpoint.com/wp-content/uploads/2017/10/dnssec3-768x534.png 768w, http://blog.catchpoint.com/wp-content/uploads/2017/10/dnssec3-1024x712.png 1024w" sizes="(max-width: 1294px) 100vw, 1294px" />

  • The image above shows how RRSIG record is used to digitally sign the Resource Records like A, CNAME, SOA, NS and AAAA. The DNSKEY record contains the public key.
  • For a DNSSEC enabled zone, the RRSIG record is sent back to the resolving server along with the response to the DNS query. When this response including the RRSIG is received by the resolving server, it asks for the public key (that is the DNSKEY record) for decryption.
  • As we know by now, the RRSIG record is a digest/Hash of the resource record which is then encrypted. The RRSIG record accompanies any DNS Response for a DNSSEC enabled zone. Once the DNS Response and the corresponding RRSIG record for the response have been received by the resolving server, it needs a public key to decrypt the RRSIG.
  • The resolving server creates a Hash of the resource record requested and once it receives the public key, it decrypts the RRSIG or the signature using that key and compares the 2 hashes or digests. A match means a valid signature.
  • It is possible for malicious entities to spoof the DNS Response and the RRSIG record along with the public key being used to their own key pair. This can be avoided in DNSSEC using the DS Records or the Delegation Signer Records. We will read more about it in the next section where we will be looking at actual DIG commands to understand how DNSSEC works outside theory


Let’s have a look at some DIG queries to understand how DNSSEC works.

  • Let’s use a DNS resolver that doesn’t support DNSSEC to query the NS record of example.com.
Command: dig +short NS example.com

The response we get is:

http://blog.catchpoint.com/wp-content/uploads/2017/10/dnssec4-300x78.png 300w" sizes="(max-width: 395px) 100vw, 395px" />

  • Now, let’s run the same query with DNSSEC enabled.
Command: dig +short +dnssec NS example.com



NS 8 2 86400 20170601015854 20170511071922 61845 example.com. iM/F025H0BdVCjRkpt/IQfZRAfFHFGsPqS7fxJ+JwLMqeakpnHBDN3Mf 7U/O+ZoNrVFC+mvdeSJ351OiXymffnoD3X1Wp0J7xj6F33sD/gbEpw1d F8M1MNSTih31U+unIDEzNt0uPCghxfXuh2zLdEr9QmtBGBTPMKV16Pwl ikrV6s4=

http://blog.catchpoint.com/wp-content/uploads/2017/10/dnssec5-300x71.png 300w" sizes="(max-width: 546px) 100vw, 546px" />As you can see, in this case, we received not just the NS record for the domain: example.com but also the RRSIG (Resource Record Signature). For any DNSSEC signed zone, each record set (RRset) has one or more RRSIG record. RRSIG records basically contain a signature which is generated after signing the result with the private key.

  • Now, the next step is to verify if the signature returned is valid. In order to verify the validity of the signature, the DNS Resolver needs to obtain the “DNSKEY” record.
Command: dig +short DNSKEY example.com

http://blog.catchpoint.com/wp-content/uploads/2017/10/dnssec6-300x177.png 300w" sizes="(max-width: 546px) 100vw, 546px" />

In the screenshot above, we dig for the domain’s (example.com) DNSKEY.

  • If you have a look at all the records that the resolver has at this stage, you will see that it has the NS records for the domain: example.com, their signature (in the form of RRSIG record) and the public key (DNSKEY record). The question now is whether establishing a trust within the domain’s zone (in this scenario: example.com) is enough? The answer to this question is NO. DNS is a hierarchical system where Zones do not work independently. The mapping of a Domain name to an IP Address involves multiple hierarchies starting from the Root and going all the way down to Authoritative Nameservers for a Domain. It is extremely important in DNSSEC to create a “chain of trust” between the multiple hierarchies.
  • In DNSSEC, a chain of trust amongst hierarchies is created using the “Delegation Signer Record,” or DS record. It allows building a chain of trust between the parent zone and a child zone. The DNSKEY record is hashed by the entity managing the Zone and is shared with the parent zone. The parent zone publishes it as a DS Record. The parent zone provides a DS record every single time a resolver is referred to a child zone.
  • DS Record serves 2 very important functions:
    • It tells the DNS Resolver that the child zone is DNSSEC enabled
    • Helps in validating the child zone’s public KSK (Key Signing Key). It is hashed by the Resolver and compared with the DS record from the parent. If they both match, the resolver can assume that the KSK has not been tampered and that all the records present in the child zone can be trusted.
    • Any change to the KSK (Key Signing Key) requires the DS Record at the parent zone to be updated.
    • For the domain: example.com, the DS record will not be present in example.com’s zone but in the zone file for .COM. The .COM zone also will have a DNSKEY record and the DS record would have been signed using its private key and associated an RRSIG record with it.
    • The ROOT zone will also have a DS record signed using its private key, a DNSKEY Record and a RRSIG record.
    • This hierarchy of trust and validations that exist between multiple levels of the Domain Name System is called the “Chain of Trust.”

DNSSEC is not a new concept, it was developed in 1994 but whether the cost and resources involved in its implementation are justified is still hotly debated. The Kaminsky bug in 2008 highlighted the importance of security with respect to DNS and created a buzz around “DNSSEC.” More than a couple of decades after its development, we are still arguing about its pros and cons.

In the next part of the blog, we will be looking at the possible applications of DNSSEC: DANE, TLSA Record and will be focusing on how to monitor DNSSEC efficiently using Catchpoint.

The post An Introduction to DNSSEC appeared first on Catchpoint's Blog - Web Performance Monitoring.

Read the original blog entry...

More Stories By Mehdi Daoudi

Catchpoint radically transforms the way businesses manage, monitor, and test the performance of online applications. Truly understand and improve user experience with clear visibility into complex, distributed online systems.

Founded in 2008 by four DoubleClick / Google executives with a passion for speed, reliability and overall better online experiences, Catchpoint has now become the most innovative provider of web performance testing and monitoring solutions. We are a team with expertise in designing, building, operating, scaling and monitoring highly transactional Internet services used by thousands of companies and impacting the experience of millions of users. Catchpoint is funded by top-tier venture capital firm, Battery Ventures, which has invested in category leaders such as Akamai, Omniture (Adobe Systems), Optimizely, Tealium, BazaarVoice, Marketo and many more.

Latest Stories
Continuous Delivery makes it possible to exploit findings of cognitive psychology and neuroscience to increase the productivity and happiness of our teams. In his session at 22nd Cloud Expo | DXWorld Expo, Daniel Jones, CTO of EngineerBetter, will answer: How can we improve willpower and decrease technical debt? Is the present bias real? How can we turn it to our advantage? Can you increase a team’s effective IQ? How do DevOps & Product Teams increase empathy, and what impact does empath...
As many know, the first generation of Cloud Management Platform (CMP) solutions were designed for managing virtual infrastructure (IaaS) and traditional applications. But that's no longer enough to satisfy evolving and complex business requirements. In his session at 21st Cloud Expo, Scott Davis, Embotics CTO, explored how next-generation CMPs ensure organizations can manage cloud-native and microservice-based application architectures, while also facilitating agile DevOps methodology. He expla...
Most technology leaders, contemporary and from the hardware era, are reshaping their businesses to do software. They hope to capture value from emerging technologies such as IoT, SDN, and AI. Ultimately, irrespective of the vertical, it is about deriving value from independent software applications participating in an ecosystem as one comprehensive solution. In his session at @ThingsExpo, Kausik Sridhar, founder and CTO of Pulzze Systems, discussed how given the magnitude of today's application ...
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
With tough new regulations coming to Europe on data privacy in May 2018, Calligo will explain why in reality the effect is global and transforms how you consider critical data. EU GDPR fundamentally rewrites the rules for cloud, Big Data and IoT. In his session at 21st Cloud Expo, Adam Ryan, Vice President and General Manager EMEA at Calligo, examined the regulations and provided insight on how it affects technology, challenges the established rules and will usher in new levels of diligence arou...
You know you need the cloud, but you're hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You're looking at private cloud solutions based on hyperconverged infrastructure, but you're concerned with the limits inherent in those technologies. What do you do?
Sanjeev Sharma Joins June 5-7, 2018 @DevOpsSummit at @Cloud Expo New York Faculty. Sanjeev Sharma is an internationally known DevOps and Cloud Transformation thought leader, technology executive, and author. Sanjeev's industry experience includes tenures as CTO, Technical Sales leader, and Cloud Architect leader. As an IBM Distinguished Engineer, Sanjeev is recognized at the highest levels of IBM's core of technical leaders.
Recently, WebRTC has a lot of eyes from market. The use cases of WebRTC are expanding - video chat, online education, online health care etc. Not only for human-to-human communication, but also IoT use cases such as machine to human use cases can be seen recently. One of the typical use-case is remote camera monitoring. With WebRTC, people can have interoperability and flexibility for deploying monitoring service. However, the benefit of WebRTC for IoT is not only its convenience and interopera...
In his general session at 21st Cloud Expo, Greg Dumas, Calligo’s Vice President and G.M. of US operations, discussed the new Global Data Protection Regulation and how Calligo can help business stay compliant in digitally globalized world. Greg Dumas is Calligo's Vice President and G.M. of US operations. Calligo is an established service provider that provides an innovative platform for trusted cloud solutions. Calligo’s customers are typically most concerned about GDPR compliance, application p...
SYS-CON Events announced today that Synametrics Technologies will exhibit at SYS-CON's 22nd International Cloud Expo®, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Synametrics Technologies is a privately held company based in Plainsboro, New Jersey that has been providing solutions for the developer community since 1997. Based on the success of its initial product offerings such as WinSQL, Xeams, SynaMan and Syncrify, Synametrics continues to create and hone inn...
Mobile device usage has increased exponentially during the past several years, as consumers rely on handhelds for everything from news and weather to banking and purchases. What can we expect in the next few years? The way in which we interact with our devices will fundamentally change, as businesses leverage Artificial Intelligence. We already see this taking shape as businesses leverage AI for cost savings and customer responsiveness. This trend will continue, as AI is used for more sophistica...
The 22nd International Cloud Expo | 1st DXWorld Expo has announced that its Call for Papers is open. Cloud Expo | DXWorld Expo, to be held June 5-7, 2018, at the Javits Center in New York, NY, brings together Cloud Computing, Digital Transformation, Big Data, Internet of Things, DevOps, Machine Learning and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding busin...
Smart cities have the potential to change our lives at so many levels for citizens: less pollution, reduced parking obstacles, better health, education and more energy savings. Real-time data streaming and the Internet of Things (IoT) possess the power to turn this vision into a reality. However, most organizations today are building their data infrastructure to focus solely on addressing immediate business needs vs. a platform capable of quickly adapting emerging technologies to address future ...
No hype cycles or predictions of a gazillion things here. IoT is here. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, an Associate Partner of Analytics, IoT & Cybersecurity at M&S Consulting, presented a step-by-step plan to develop your technology implementation strategy. He also discussed the evaluation of communication standards and IoT messaging protocols, data...
Product connectivity goes hand and hand these days with increased use of personal data. New IoT devices are becoming more personalized than ever before. In his session at 22nd Cloud Expo | DXWorld Expo, Nicolas Fierro, CEO of MIMIR Blockchain Solutions, will discuss how in order to protect your data and privacy, IoT applications need to embrace Blockchain technology for a new level of product security never before seen - or needed.