Domain Name System Security Extensions
The dnssec is a set of standards on the Internet that provide security mechanisms. These are also subject to the authenticity and integrity of the data. A participant of the dnssec can verify certain zone data. It can also check if the DNS zone data is the same as that of which a creator is authorized by the zone.
No encryption of the data
The dnssec was designed to crack down on Cache Poinsoning. Digital signatures are saved when transferring resource records. Authentication never takes place on the servers and also on the clients. With dnssec, no data is encrypted. The asymmetric cryptosystem. The owner of a particular piece of information is called the master server. There is also the zone to be secured. Every single record is signed with a private key or a secret key. Authenticity and integrity can be validated with a public key or public key. The extension EDNS is preferred by dnssec. Additional parameters can be used with this extension. The size limit of 512 bytes is also removed with the extension. Longer DNS messages are needed when a key or signature is to be transmitted.
How does DNS work?
Information is provided by dnssec in the RR, that is Resource Record. These secure the authenticity of the information with a digital signature. The master server in the zone is the owner of this information. This one is also authoritative. For each zone to be secured, there is a zone singing key, ie a zone key. The pair consists of public and private keys. The public part of the zone key is included in the zone file as a DNSKEY resource record. The private key ensures that every single RR is signed digitally in the zone. For this purpose, a Resource Record is completed, this is the RRSIG Resource Record. This contains the signature for the DNS entry.
For each of these transactions, a RRSIG-RR is sent along with the normal resource record. When transferring to the zone, the slaves first receive it. This is then stored in a cache at a good resolution. Finally, the RR lands on the revolver, which has requested. The public zone key can validate the signature.
At dnssec, the DNS resolvers are the end devices, such as a computer or a smartphone, on which the records can not be validated. Stubresolvers are simply built programs that can completely resolve a name. Also in a recursive name server. In order to be able to resolve this name, it sends a request to a name server in the local network, or even in the network of the ISP, pronounced Internet service providers.
A DO bit is set, which can tell the name server resolver which the record should be validated. However, the stub resolver must support the extension EDNS by dnssec. So the server can also be confguriert. This means that the validation can always be performed.
This is independent of the content and presence of the DO bit. If the server returns a general error something went wrong. If successful, the server will give an AD-bit response. AD means Authenticated Data. For a stub resolver, it is unclear whether the error in the failed validation has been triggered or has another cause. Causes can be a network failure, or a name server failure in the requested domain name.