DNSSEC Flashcards

1
Q

DNSSEC

Value prop for DNSSEC?

A

Verify the answer about fubar.com really came from fubar.com’s nameservers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

DNSSEC

Why would a layman care about DNSSEC?

A

Without it, you go to capitalone.com, but get bad DNS result pointing to dangerous site.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

DNSSEC

Basically,how does it work?

A

PKI chain of trust all the way back to the Root DNS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

DNSSEC

Why DNSSEC, a totally new protocol?

A

Nope, it runs on top of DNS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

DNSSEC

How is DNSSEC backward compatible?

A

DNS-only traffic still works. DNSSEC data is in addition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

DNSSEC

If data is compromized in transit during DNSSEC, what happens?

A

Nothing! The compromized DNS result arrives as-is. DNSSEC detects that it was compromized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

DNSSEC

How do you run DNSSEC queries to troubleshoot problems?

A

dig fubar.com +dnssec

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

DNSSEC

What data comes back from a DNSSEC-enabled query?

A

All same DNS data, plus RRSIG additional line with a PKI signature.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

DNSSEC

What’s an RRSET record?

A

All records of the same name and type, like “A” records to “www”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

DNSSEC

Why bother with RRSET records?

A

All about grouping and making management easier.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

DNSSEC

How does DNSSEC PKI stuff work?

A

Each Zone has a Zone Signing Key (pub/priv). Signs each RRSET. The signature is stored as RRSIG.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

DNSSEC

How do DNS clients know if a RRSET was compromised when holding the RRSIG?

A

Gets the DNSKEY dns records (public key) from the response and use PKI to verify it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

DNSSEC

How do you know the DNSKEY rec wasn’t compromised?

A

Normal PKI certificate signing up to CAs you trust

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

DNSSEC

Why are there two types of Zone signing keys?!

A

Zones have a Key Signing Key that the TLD knows. KSK generates and signs DNSKEYs so they can be managed and rotated locally.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

DNSSEC

What specifically is the chain of trust for DNSKEY?

A

The parent DNS Zone has a hash of the KSK in the child Zone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

DNSSEC

What’s at the top of all this hashing of KSKs?

A

The DNS Root has a KSK that signs all TLD KSKs.

17
Q

DNSSEC

What’s so special about the DNS Root’s KSK?

A

It is literally the key to the Internet…stored in California and Culpeper, Virginia.

18
Q

DNSSEC

What’s a name for this absolute top thing that isn’t signed or verified by something higher?

A

Trust Anchor

19
Q

DNSSEC

Where physically are the top level KSKs stored?

A

HSMs: private material never leaves the HSM (Hardware Security Module).

20
Q

DNSSEC

What is the DNSSEC Signing Ceremony?

A

Take a new Zone Signing key for the DNS Root Zone into the HSM and sign it for general use signing domains.