The DNS protocol is over 30 years old. It is amazing that it is still working so well. But it has a massive flaw, the security. So here comes the security extension called DNSSEC that provides digital signatures (keys) that let DNS clients validate and prove that the DNS data was not modified on the way, and it can also prove a negative answer (the requested item does not exist).
What is DNSSEC?
DNSSEC is Domain Name System Security Extensions. It is a compilation of different security measures that provide cryptographic authentication of DNS data. It proves that the DNS data has not been modified but still does not encrypt the DNS records. It works like a chain of trust that helps verify each step that a query takes.
Step by step DNSSEC
The following steps are universal, no matter if you are using Windows, Linux, another OS, or a SaaS solution. The interface will be different, but you must perform the same actions, so you can follow this step-by-step guide and check another one for your particular case.
Choosing the algorithm for encryption
One of the first decisions that you will face is choosing the exact algorithm you want to use. Your options are:
The size of the key
It is connected to the last step, but it is very important to choose the right algorithm because it will affect the size of the keys. It is recommended to use at least 2048-bit KSK (key signing keys) and 1024-bit ZSK (zone signing keys). Larger keys mean better protection, but more computer power for signing too. Also, think about the limits when it comes to the size of the queries. More than 4096 bytes could be a problem.
Generating the DNSSEC keys
Now, when we have chosen the algorithm, we must create the ZSK and KSK keys. You need to create them and put them in the correct directory (if you are not using a SaaS solution). With the private ZSK, you will sign the zone, and technically, you will already use DNSSEC. This process will group similar records in resource records sets, which will be encrypted. Not the individual records. The process will create RRSIG records and DNSKEY public key for the resolvers to open the records.
Because it is a chain of trust, the upper level needs to be able to verify the sub-zone. This is why we need the next steps in the DNSSEC process.
Creating the DS record
The DS record is the DNS record that you need to put in the higher level zone (parent) to prove the chain of trust. It will contain the hash, the value of the DNSKEY (the public key) that validates the signature.
Put the DS record in the parent zone.
Now that you have successfully created the DS record, it is time to put it in the parent zone. Go to your registrar’s site. There you need to put the newly created record so it can authenticate the zone below.
When a DNS client requests a record, the DNS recursive server will ask for the RRset of the requested type of record, the RRSIG record, and the public ZSK record to unlock them. If the key matches, the zone can be trusted, and the records can be used.