Cryptography And DNSSEC Flashcards
What is a cryptographic hash ?
A cryptographic hash is a mathematical algorithm that takes a chunk of text and computes a fixed-length string from it.
The interesting thing about a hash is that minor changes in the original text dramatically change the hash generated from the text.
What is a RRSet ?
A Resource Record Set, or RRset, is a collection of records of the same domain name, record class (IN), and record type.
Resolvers return entire RRsets when answering queries. If you make a DNS query for the host www.michaelwlucas.com, you’ll get a single A record because that zone only has one A record for that host.
What is a DNSKEY Resource Record ?
The DNSKEY resource records contain a zone’s public keys.
It can store ZSK (Zone Signing Keys) and KSK (Key Signing Keys)
What is a DS Resource Record ?
The DS (Delegation Signer) resource record contains a hash of the zone’s active KSK, as well as information about the algorithm used and the associated key tag.
A DS record appears in the parent zone of its zone. To get the DS record for michaelwlucas.com, you must query the .com nameservers. Yes, the .com nameservers should have DS records for every single domain that uses DNSSEC.
What is a DLV Resource Record ?
A DLV (DNS Lookaside Validation) resource record is almost exactly like a DS record, but it’s only provided by the DNS Lookaside Validation registry.
The DLV was originally intended for testing DNSSEC before the root zone was signed. Today, the DLV is a temporary workaround for registrars who do not support DNSSEC.
What is an RRSig Resource Record ?
The RRSIG (Resource Record Signature) record gives the digital signature of a set of resource records. If a DNSSEC-secured zone has an RRset for www.michaelwlucas.com, that RRset includes a RRSIG record.
The signature is generated by signing the zone data with the ZSK. The DNSKEY RRset containing the ZSK and the KSK is in turn signed with the KSK.
What is the NSEC/NSEC3 Resource Record ?
The “next secure” resource record offers proof of nonexistence of a record. If you try to find a record that does not appear in DNS, you want a statement from the authoritative DNS server that the record does not exist.
What is the difference between NSEC and NSEC3 ?
NSEC records have an interesting side effect in that they can be used to enumerate the entries in a zone. An attacker can use them to list all the hosts in your zone by asking for the NSEC records for known hosts. NSEC3 records hash the names of the existing hosts, so that all attackers can learn is that there’s another host.
What is a ZSK ?
A Zone Signing Key (ZSK) is used to sign a zone. Every zone has its own ZSK. You can change the ZSK whenever you desire.
What is a KSK ?
The Key Signing Key (KSK) is a key only used to sign the Resource Record set containing all the DNSKEYs for the zone, including KSKs and ZSK.
Every zone has its own KSK. Changing a KSK requires coordination with outside parties, such as a domain registrar or IP address registry.
A KSK is sometimes called a Secure Entry Point (SEP), because you can configure a nameserver to completely trust a KSK.
What is the NSEC3PARAM Resource Record ?
A zone using NSEC3 also includes an NSEC3PARAM Resource Record, which defines various cryptographic characteristics the client uses to dissect NSEC3 records.
You don’t really need to know the innards of NSEC3PARAM records, but you should know that they exist and are necessary for the proper working of NSEC3.
What is a trust anchor ?
A trust anchor is a “known good” public key used to sign DNS Records.
Trust anchors are the root of the DNSSEC system.
What is an air gap ?
An absence of a direct or indirect connection between a computer and the internet, effected for security reasons.
Root Zone KSK is protected with an air gap.
What are the 3 approaches to protecting DNSSEC private keys ?
- The stealth master: the master is tightly secured, behind a firewall, perhaps in private address space. The public cannot access the master for any service.
All nameservers that offer a public services are slaves of the stealth master with no access to the master beyond DNS.
- The HSM: Keys stored inside without possibility to be copied.
- Nothing: not recommended. otherwise sysadmins should be well acquainted with the key rollover procedure.