DNSSEC Flashcards
DNSSEC
Value prop for DNSSEC?
Verify the answer about fubar.com really came from fubar.com’s nameservers
DNSSEC
Why would a layman care about DNSSEC?
Without it, you go to capitalone.com, but get bad DNS result pointing to dangerous site.
DNSSEC
Basically,how does it work?
PKI chain of trust all the way back to the Root DNS
DNSSEC
Why DNSSEC, a totally new protocol?
Nope, it runs on top of DNS
DNSSEC
How is DNSSEC backward compatible?
DNS-only traffic still works. DNSSEC data is in addition
DNSSEC
If data is compromized in transit during DNSSEC, what happens?
Nothing! The compromized DNS result arrives as-is. DNSSEC detects that it was compromized.
DNSSEC
How do you run DNSSEC queries to troubleshoot problems?
dig fubar.com +dnssec
DNSSEC
What data comes back from a DNSSEC-enabled query?
All same DNS data, plus RRSIG additional line with a PKI signature.
DNSSEC
What’s an RRSET record?
All records of the same name and type, like “A” records to “www”.
DNSSEC
Why bother with RRSET records?
All about grouping and making management easier.
DNSSEC
How does DNSSEC PKI stuff work?
Each Zone has a Zone Signing Key (pub/priv). Signs each RRSET. The signature is stored as RRSIG.
DNSSEC
How do DNS clients know if a RRSET was compromised when holding the RRSIG?
Gets the DNSKEY dns records (public key) from the response and use PKI to verify it
DNSSEC
How do you know the DNSKEY rec wasn’t compromised?
Normal PKI certificate signing up to CAs you trust
DNSSEC
Why are there two types of Zone signing keys?!
Zones have a Key Signing Key that the TLD knows. KSK generates and signs DNSKEYs so they can be managed and rotated locally.
DNSSEC
What specifically is the chain of trust for DNSKEY?
The parent DNS Zone has a hash of the KSK in the child Zone