What is DNSSEC (Domain Name System Security Extensions)?

00:00

Today we're going to be talking about DNSSEC,

00:04

or DNS security.

00:07

You may have heard of this before,  but you're wondering why do I care?

00:10

And what can I do with it?

00:12

Once you understand that, you'll probably  want to know how you get started.

00:14

And we'll be covering all  three of those things today.

00:17

So let's first talk about why you need DNSSEC.

00:21

Imagine that one of your users

00:23

is trying to get to your  website, let's say ibm.com.

00:28

They type in ibm.com in their browser.

00:32

And it goes to their resolver, their DNS resolver.

00:35

Their DNS resolver talks to the the root zone.

00:40

It talks to the TLD zone for .com.

00:44

TLD for .com.

00:47

And then it talks to the IBM.com name server

00:54

and it gets back in answer.

00:55

But what can happen, what an attacker can do

00:59

is they can reroute traffic on the internet.

01:01

It's not easy to do, but it  has been done in the wild,

01:04

and they can direct the resolver,

01:06

instead of going to ibm.com,  to go to the bad DNS server.

01:14

The bad DNS server can then return -

01:17

so it doesn't go here, instead  it goes to the bad DNS server -

01:20

can then return a bad IP address

01:28

back to your user, and then  they're sent to the bad website.

01:34

At the bad website their  credentials can be harvested

01:38

for malicious ends because  their password is taken.

01:40

Maybe you're a financial institution and  someone can empty their bank accounts.

01:44

Everything, bad things happen  if you allow an attacker

01:50

to insert a bad DNS server in  the midst of the transaction,

01:54

which sends the user to a malicious website.

01:59

DNSSEC was created to prevent  this type of thing from happening.

02:03

DNSSEC does three things.

02:06

First, it does origin authentication.

02:11

Second, it implements data integrity checking.

02:17

And third, it implements  authenticated denial of existence.

02:21

And we'll talk about what each of these things are

02:24

in a little more depth as we go through this.

02:27

So that's why you should care about DNSSEC

02:30

and what DNSSEC can do for you.

02:35

Now let's get into some  details about how DNSSEC works.

02:39

So imagine you're a user again.

02:43

Up here.

02:43

He he's also looking for ibm.com.

02:49

And he also talks to his resolver.

02:54

Goes out to the root zone,

02:56

to the TLD authoritative server,

02:59

and to the ibm.com server.

03:03

But now we have DNSSEC enabled,  so when he goes to there

03:08

it is validated.

03:10

And so we validated that we're  talking to the root server.

03:12

So we've got the origin authentication.

03:15

And we validate that the answer we got back

03:17

is the correct answer.

03:19

Then he talks to the TLD server.

03:21

And, same thing, validates he's  talking to the correct server.

03:24

So stopping the bad DNS server from  being injected into the conversation

03:30

and he validates he gets the right answer back.

03:33

And finally we talked to the ibm.com server

03:36

and validate that we get the correct answer back.

03:40

That's a high level  explanation of how DNSSEC works

03:45

and why you should care about it.

03:47

The one thing I haven't talked about yet  is authenticated denial of existence.

03:51

So let me just mention that real quickly here.

03:54

The idea of authenticated denial of existence

03:56

is if I ask for a name that doesn't  exist, let's say foo.ibm.com,

04:02

and then I talk to the ibm.com name server.

04:05

It's going to return to me an answer.

04:09

It's going to say foo doesn't exist.

04:12

I don't know what foo is.

04:14

How do I know that foo really doesn't exist?

04:16

And that's what authenticated  denial of existence does.

04:19

It's a method so that the  resolver can validate that when

04:24

the ibm.com server says foo doesn't exist,

04:26

it really knows that foo doesn't exist,

04:29

and it's able to put a check mark on that as well.

04:33

So now let's dive a little bit  deeper into how DNSSEC really works.

04:39

There's one technology that  undergrids all of DNSSEC,

04:45

and that's public key cryptography system, PKCS.

04:51

That's the idea that you can  have a public private key pair

04:56

such that when you encrypt  something with the private key,

04:58

which you keep private,

05:01

and publish the public key out on the  internet, or give it to other people,

05:05

that when they decrypt the  item with the public key,

05:08

it validates that the owner of the private  key was the one that created that item.

05:14

And it can be used for a number of functions.

05:16

There's other videos you can watch that  go into a lot more detail about PKCS,

05:20

but essentially it allows us to implement

05:22

the origin authentication, data integrity,  and authenticated denial of existence checks.

05:27

Let's talk about exactly how that works.

05:29

So there is a new record type

05:32

that was introduced to DNS called the DNS key.

05:37

The DNS key has two subtypes.

05:41

One is called a KSK.

05:47

And the other is called the ZSK.

05:50

The ZSK, we'll talk about  first, is used to sign the zone.

05:54

That's why it's a 'Z', for Zone Signing Key.

05:58

And the way that works is if  I have a record in the zone,

06:02

let's say ibm.com is my record in my zone.

06:05

It's got an IP address, say 9.9.9.1,  let's say is the IP address.

06:12

Then I want to have a way to validate

06:16

that this is really the correct  answer or the right answer

06:19

when it's returned back to the user.

06:22

So we created this record type called an RRSIG.

06:28

And it's a way to cryptographically  sign or authenticate

06:32

that this is the answer, so that  when this answer was returned,

06:37

it really is the answer from this server,

06:39

so the origin authentication,  and it hasn't been changed.

06:43

The RRSIG was created using the  public key in the zone signing key.

06:51

Now, then the question is,

06:53

how do I know that this is really  the public key of the ibm.com server?

06:57

That's where the KSK comes in.

06:59

The KSK is also a public key.

07:02

It's used to sign the zone signing key.

07:07

Then we get into the chain of trust.

07:09

The KSK is known to belong to ibm.com.

07:13

Because I've put what's called  a DS record up at the TLD.

07:18

The DS record stands for Delegation Signer.

07:21

That is a hash of this KSK.

07:26

So that when the resolver  is going through the chain,

07:30

going through its resolution chain,

07:32

and it gets to the TLD level,

07:34

it pulls down the delegation signer record.

07:38

Then it next goes to the ibm.com level,

07:41

it pulls a copy of the KSK  and then compares the two.

07:45

And if they match then it knows that the KSK

07:51

at the ibm.com level really  does belong to ibm.com,

07:54

and thus we've validated that we're  talking to the correct server.

07:59

The same thing happens to the next level up.

08:01

The root has a DS record that points at the TLD.

08:05

The same process occurs.

08:07

The DS record is read,

08:08

compared to the KSK at the TLD level,

08:11

and then everything is validated.

08:14

Up at the root there's actually  a file that is downloaded offline

08:19

by the ... when you set up a  resolver, you download that file

08:23

to start the chain of trust and validate

08:26

that you're really talking to  the legitimate root server.

08:31

One more record type that was created for DNS SEC

08:35

is called the NSEC record.

08:38

For "next secure".

08:39

The NSEC record is what's used for  this authenticated denial of existence.

08:44

It's the record type that's  returned when the answer is unknown.

08:47

And it validates that yes, indeed, we  don't have a record type named Foo.

08:56

So that's how DNSSEC works in detail.

08:59

Those are all the new record types  that you need to worry about.

09:02

Now, let's talk about how you can get  started on your own to implement DNSSEC.

09:10

The first thing you want to do  is you want to sign the zone.

09:14

What that means is you create the all  the new record types I mentioned here.

09:19

You create a ZSK.

09:21

You create a KSK.

09:24

And then you create the RRSIGs.

09:28

Depending on your software, the  way you do this will be different.

09:31

For some open source software,  if you're running your own DNS,

09:34

this will be a manual process.

09:36

For some of the manage DNS services out there,

09:39

you'll essentially flip a switch  and all this will be done for you.

09:43

Then second step is you want to test.

09:46

This is a really important point.

09:48

I would highly recommend that  after you set up all the keys,

09:54

all the new records that you test,

09:56

there's a number of open source  tools out on the internet

09:59

and websites that you can go to that will validate

10:02

that your DNSSEC is set up  correctly and you have no errors.

10:05

Test, make sure you get rid of all the errors,

10:08

and then finally you want to go to your  registrar and set up the DS record.

10:13

That's what actually enables DNSSEC.

10:16

Up until this point DNSSEC,  all the records are there,

10:19

but the resolvers are not  actually validating the answers

10:24

because they need the DS  record to do that validation.

10:28

So until you put that DS record  in place, nothing's live.

10:32

The system is just ready to go.

10:34

As soon as you contact your registrar  and put the DS record in place,

10:38

the whole thing spins up, and  now DNSSEC is in operation.

10:44

And whenever a user goes to a validating resolver,

10:48

DNSSEC will be checked

10:50

and it will prevent the  scenario that we saw over here

10:53

where a malicious player inserted a bad DNS server

10:56

and redirected your server to a malicious site.

10:58

So I hope you can get started on DNSSEC

11:02

and protect your websites and applications.

11:05

If you like this video and  want to see more like it,

11:08

please like and subscribe.

11:10

If you have any questions or want to  share your thoughts about this topic,

11:13

please leave a comment below.