DNSSEC

Question 1

DNSSEC

Value prop for DNSSEC?

Answer 1

Verify the answer about fubar.com really came from fubar.com’s nameservers

Question 2

DNSSEC

Why would a layman care about DNSSEC?

Answer 2

Without it, you go to capitalone.com, but get bad DNS result pointing to dangerous site.

Question 3

DNSSEC

Basically,how does it work?

Answer 3

PKI chain of trust all the way back to the Root DNS

Question 4

DNSSEC

Why DNSSEC, a totally new protocol?

Answer 4

Nope, it runs on top of DNS

Question 5

DNSSEC

How is DNSSEC backward compatible?

Answer 5

DNS-only traffic still works. DNSSEC data is in addition

Question 6

DNSSEC

If data is compromized in transit during DNSSEC, what happens?

Answer 6

Nothing! The compromized DNS result arrives as-is. DNSSEC detects that it was compromized.

Question 7

DNSSEC

How do you run DNSSEC queries to troubleshoot problems?

Answer 7

dig fubar.com +dnssec

Question 8

DNSSEC

What data comes back from a DNSSEC-enabled query?

Answer 8

All same DNS data, plus RRSIG additional line with a PKI signature.

Question 9

DNSSEC

What’s an RRSET record?

Answer 9

All records of the same name and type, like “A” records to “www”.

Question 10

DNSSEC

Why bother with RRSET records?

Answer 10

All about grouping and making management easier.

Question 11

DNSSEC

How does DNSSEC PKI stuff work?

Answer 11

Each Zone has a Zone Signing Key (pub/priv). Signs each RRSET. The signature is stored as RRSIG.

Question 12

DNSSEC

How do DNS clients know if a RRSET was compromised when holding the RRSIG?

Answer 12

Gets the DNSKEY dns records (public key) from the response and use PKI to verify it

Question 13

DNSSEC

How do you know the DNSKEY rec wasn’t compromised?

Answer 13

Normal PKI certificate signing up to CAs you trust

Question 14

DNSSEC

Why are there two types of Zone signing keys?!

Answer 14

Zones have a Key Signing Key that the TLD knows. KSK generates and signs DNSKEYs so they can be managed and rotated locally.

Question 15

DNSSEC

What specifically is the chain of trust for DNSKEY?

Answer 15

The parent DNS Zone has a hash of the KSK in the child Zone

Question 16

DNSSEC

What’s at the top of all this hashing of KSKs?

Answer 16

The DNS Root has a KSK that signs all TLD KSKs.

Question 17

DNSSEC

What’s so special about the DNS Root’s KSK?

Answer 17

It is literally the key to the Internet…stored in California and Culpeper, Virginia.

Question 18

DNSSEC

What’s a name for this absolute top thing that isn’t signed or verified by something higher?

Answer 18

Trust Anchor

Question 19

DNSSEC

Where physically are the top level KSKs stored?

Answer 19

HSMs: private material never leaves the HSM (Hardware Security Module).

Question 20

DNSSEC

What is the DNSSEC Signing Ceremony?

Answer 20

Take a new Zone Signing key for the DNS Root Zone into the HSM and sign it for general use signing domains.