Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!

Author Topic: DNS-Security Extension.  (Read 4673 times)

0 Members and 2 Guests are viewing this topic.


  • Guest
DNS-Security Extension.
« on: November 13, 2013, 03:31:23 am »
DNS Security- "DNSSEC"

DNSSEC guarantee authenticity , Integrity by injecting digital signatures into the DNS hierarchy for each levels of domain names.

As in the real world our signature is a mandatory one while sending a letter or for Bank transactions ect..  as a proof to authenticate our identity in order to prevent fraudulent transactions. For that we have to register our signature with the bank  or to the corresponding authority, so for every transaction that authority checks whether the signature provided matches with the one registered and thus authorize .

This is the same case in  "DNS Security Extension" provides message authentication and integrity verifcation through "Cryptographic" and "Digital signatures".
When DNSSEC Signs a Zone file in the DNS , the following are the entries or records  that are added to the zone.

A zone’s private key signs each resource record set.
RRset’s digital signature is stored in an "RRSIG" record.
RRSIG record’s fields:

 A- the type of records signed.

 5- the digital signature algorithm used (RSA with SHA1)

 3- the number of labels in the signed name

 86400-the original time-to-live on the records signed

 20090507235959-when the signature expires

 20090501000000- when the records were signed

 41148-the key ID/tag/footprint the signer’s name

          Finally, the "digital signature" itself in base64 .

1.In DNSSEC, each zone has a public/private key pair.
2.The zone’s public key is stored in the new "DNSKEY" record.
3.The zone’s private key is kept safe locally.

DNSKEY record’s fields:

256 - the 16-bit flags field:

3- the protocol octet will always be 3 to signify DNSSEC.

5-the DNSKEY algorithm number

NSEC Record
NSEC records are designed to prove that no records exist between two different points.
Each NSEC record has a corresponding "RRSIG". [/b]

This record says that nothing exists between the "" record and the  record "" exists i.e if someone tries to convince that "" exist we can verify it by checking the "RRSIG" .
Delegation Signer (DS) Records

DS record’s fields:
      46894-the key tag

      5-the DNSKEY algorithm number (RSA with SHA1)

      2 -the digest type , 2 is SHA-256 , 1 is SHA-1.

        Finally, the digest, in hexadecimal
This “DS record” at the parent name server is what binds your signed domain into the larger “chain of trust.

To add a DS record to the Registrar:
Copy the following DS record information from the hosting provider  and add it to the Registrar DS record:

   1.Key tag


   3.Digest Type.