Introduction to DNSSEC Manager (Plesk)
DNSSEC Manager (Plesk) adds authentication to Domain Name System to make the system more secure. The Domain Name System manages Internet navigation by redirecting domain names and mapping them to IP addresses.The main purpose is to resolve domain names into IP addresses and vice-versa.
Domain Name System SECurity extensions:
a. It is an extension of the DNS protocol.
b. Increases security to the Internet user.
c. Provides security for domain name resolution.
d. Works as a way of authenticity verification.
e. Verification occurs before other security applications (SSL, SSH, etc...)
How DNSSEC Manager (Plesk) Works
DNSSEC Manager (Plesk) guarantees authenticity and integrity by injecting digital signatures into the DNS hierarchy for each level of domain names. Each level of domains will be having its own signature generating keys. Each organization along the way must sign the key of the one below it.
For eg:
www.example.com is the domain name.
Step1: Here ".com" signs "example.com" 's key...
Step2: Root signs the ".com " 's key.
DNSSEC Manager (Plesk) follows this chain of trust by validating the "child keys" with the "parent keys". Every key is validated by the one above it, the only key needed to validate the whole domain name would be the topmost parent or "root" key.
What is the need for this DNSSEC Manager (Plesk)?
There are chances of replacing DNS data published by the registry on its path between the “server” and the “client”. For example, DNS Spoofing or Cache Poisoning. So we need a method to check "authenticity" and "integrity" of DNS data, for this we use the DNSSEC Manager (Plesk).
Authenticity: Can the data published by the entity be trusted- “Does this DNS response really come from the .com zone?”
Integrity: Is the data received same as that was published- “Did an attacker (e.g., a man-in-the-middle) modify the data in this response since it was signed?”
How is DNSSEC Manager (Plesk) implemented?
DNSSEC provides message authentication and integrity verification through "Cryptographic" and "Digital signatures".
In DNSSEC, each zone has a public/private key pair.
The zone’s public key is stored in the new "DNSKEY" record.
The zone’s private key is kept safe locally.
Types of Keys:
A signed zone usually contains multiple keys:
a. One or more "key-signing keys (KSKs)" - Signs only the DNSKEY RRset
b. One or more "zone-signing keys (ZSKs)"- Signs the rest of the zone.
The chain of trust flows from parent zone to child zone.Only a zone’s parent can vouch for its keys’ identity.
Delegation Signer (DS) Records
Information about keys is recorded in a Delegation Signer (DS) stored in the parent domain or TLD. For more details please refer to the following KB entry
- 3 Users Found This Useful