Skip to content 
Domain Name System Security Extensions
The dnssec is a set of standards in the Internetwhich provide a guarantee of security mechanisms. These are also subject to the authenticity and integrity of Data. A dnssec participant can verify certain zone data. He can also check if the DNS zone data is identical to the data a creator is authorized by the zone.
No encryption of the data
The dnssec was developed to combat cache poinsoning. Digital signatures are secured during the transfer of resource records. Authentication never takes place on the servers or on the clients. With dnssec no data is encrypted. The asymmetric cryptosystem. The owner of a particular piece of information is called the master server. This is also where the zone to be secured is located. Every single record is signed with a private key or a secret key. Authenticity and integrity can be validated with a public key. The extension EDNS is preferred by dnssec. Additional parameters can be used with this extension. The size limitation of 512 bytes is also removed with this extension. Longer DNS messages are necessary if a key or signature is to be transmitted.
How does DNA work?
In the RR, i.e. Resource Record, information is provided by dnssec. These secure the authenticity of the information with a digital signature. The master server in the zone is the owner of this information. It is also the authoritative one. For each zone that is to be secured, there is a zone singing key. The pair consists of public and private keys. The public part of the zone key is included in the zone file as DNSKEY Resource Record. The private key ensures that each individual RR is digitally signed in the zone. For this purpose a Resource Record is completed, which is then the RRSIG Resource Record. This contains the signature for the DNS record.
For each of these transactions a RRSIG-RR is sent along with the normal resource record. For a transfer in the zone, the slaves receive it first. This is then stored in a cache at a good resolution. The last thing the RR ends up at the revolver that requested it. With the public zone key, the RR can validate the signature.
The evaluation
With dnssec, the DNS resolvers are the end devices, such as a computer or a smartphone, on which the records cannot be validated. Stubresolvers are simply constructed programs that can completely resolve a name. Even in a recursive name server. To resolve a name, the stubresolver sends a request to a name server in the local network, or in the network of ISP, pronounced Internet Service Providers.
A DO bit is set, this can tell the resolver of the name server that the record is to be validated. The stubresolver must support the EDNS extension of the dnssec. So the server can also be confogurated. This means that the validation can always be performed.
This is independent of the content and presence of the DO bit. If the server returns a general error, something has gone wrong. If it was successful, the server gives an AD bit response. AD means Authenticated Data. For a stubresolver it is not possible to detect if the error is caused by the failed validation or if it has another cause. Causes can be a power failure, or a name server failure in the requested domain name.
