Trusted answers to developer questions
Trusted Answers to Developer Questions

Related Tags

network security

What is DNSSEC?

Educative Answers Team

Grokking Modern System Design Interview for Engineers & Managers

Ace your System Design Interview and take your career to the next level. Learn to handle the design of applications like Netflix, Quora, Facebook, Uber, and many more in a 45-min interview. Learn the RESHADED framework for architecting web-scale applications by determining requirements, constraints, and assumptions before diving into a step-by-step design process.

DNSSEC was produced as a prevention method against DNS poisoning. Since DNS servers send and receive data using an unencrypted protocol, any hacker can look at the packets as they pass through the network, meaning that they can easily forge packets and send the DNS when a query is made to the authoritative name server.

svg viewer

DNSSEC is designed to ensure security by providing additional authoritative methods to ensure that only authentic records are appended within the DNS cache. DNSSEC adds cryptographic signatures to existing records that are stored alongside record types like A and AAAA. It checks that a hacker did not change the request and that the signature hash matches. This protects the DNS from accepting fraudulent records.

svg viewer

The DNS also adds new record types:

  • DNSKEY:contains a public signing key
  • DS:contains the hash of the DNSKEY
  • RRSIG:contains a cryptographic signature
  • CDNSKEY and CDS: for a child zone requesting to be updated to the DS cords in the parent zone

DNSKEYS can be further divided into two categories:

  • KSK: used to sign DNSKEY records in the zone
  • ZSK: used to sign all individual records within the zone

Delegation Signer Record

Here is an example of a DS record:

educative.io 350 IN 2109 13 2 hqwie2712e871382u0129lk18euy2871ey

  • educative.io stands for the domain name
  • 350 denotes the TTL
  • IN stands for Internet
  • 2109 is the ID of the Key
  • 13 is the algorithm type
  • 2 is the Digest type or hash function used to generate the digest from the public key
  • The hash of the public key

RELATED TAGS

network security
Copyright ©2022 Educative, Inc. All rights reserved

Grokking Modern System Design Interview for Engineers & Managers

Ace your System Design Interview and take your career to the next level. Learn to handle the design of applications like Netflix, Quora, Facebook, Uber, and many more in a 45-min interview. Learn the RESHADED framework for architecting web-scale applications by determining requirements, constraints, and assumptions before diving into a step-by-step design process.

Keep Exploring