DNSSEC Implementation Quiz

Questions and Answers

According to RFC 4034, how are DNS owner names ordered when implementing DNSSEC?

• By treating individual labels as unsigned, left-justified octet strings, starting with the rightmost label. (correct)
• By sorting names based on the number of labels, with shorter names preceding longer ones.
• By comparing the complete domain name as a single ASCII string, ignoring case.
• By treating individual labels as signed, right-justified octet strings, starting with the leftmost label.

In DNSSEC's canonical ordering, how is the comparison made when sorting octet strings within domain name labels?

• The comparison is case-sensitive and compares octet strings lexicographically, ignoring the numerical values.
• The comparison is done using an unsigned, left-justified method, where the absence of an octet sorts before a zero-value octet. (correct)
• The comparison is done using a signed, right-justified method, where larger values come before smaller values.
• The comparison is case-insensitive for the entire label, treating uppercase and lowercase as equal.

When sorting DNS names for DNSSEC, how are uppercase US-ASCII letters treated?

• They are treated as their corresponding lowercase letters. (correct)
• They are treated as having a higher precedence than lowercase letters.
• They are ignored during the sorting process.
• They are treated as having a lower precedence than lowercase letters.

During canonical RR ordering within an RRset for DNSSEC, what is the primary sorting criteria when RRs have the same owner name, class, and type?

By the content of the RDATA portion, treated as a left-justified unsigned octet sequence. (B)

What happens if a DNSSEC implementation detects duplicate RRs within an RRset when putting it into canonical form?

The implementation must treat this as a protocol error or remove all but one of the duplicate RRs. (D)

What is the relationship between domain names and zones in the DNS system?

Domain names are logical, while zones are physical groupings. (C)

How are zones of authority created in the DNS system?

By making cuts between adjacent nodes of the DNS name tree. (C)

What uniquely identifies a zone of authority?

The domain name of the highest level node in the zone. (B)

Which of the following best describes the relationship between zones of authority?

Zones are non-overlapping. (D)

How are zones typically managed in the DNS system?

By one or more pairs of authoritative name servers (primary/secondary). (A)

What is a valid description of the relationship between name servers and zones of authority?

A name server may be authoritative for multiple zones. (D)

What are resource records associated with in the DNS system?

Nodes in the DNS name tree. (B)

According to the provided diagram, which of these represents a delegation between authority zones?

The connection between 'edu' and 'cs'. (D)

What primary security issue prompted the development of DNSsec?

Vulnerabilities allowing for DNS snooping, ID hacking, and cache poisoning. (D)

What is the core function of the RRSIG record in DNSsec?

It provides a digital signature for a set of resource records. (D)

What is the primary function of an NS record in DNS?

To specify the server responsible for a domain or zone. (C)

Which functionality is provided by DNSSEC regarding DNS data?

Data origin authentication. (A)

What is the primary role of the DNSKEY record within DNSsec?

To store a domain's public key for digital signature verification. (A)

What is the purpose of an A record in DNS?

To map a domain name to its IP address. (C)

What is the function of an MX record?

To direct e-mail to the correct mail server. (B)

What is the function of NSEC/NSEC3 records in DNSsec?

To prove that a specific domain or record does not exist. (B)

Which of the following best describes the purpose of the DS record in DNSsec?

Storing a hash value of a public key for verification. (A)

What is the main goal of a standard name resolution?

To determine the IP address for a domain name. (B)

According to the provided text, which year were the first DNSsec standards introduced?

2005 (C)

Which process involves determining the domain name associated with an IP address?

Reverse name resolution. (A)

What is the primary security concept that DNSsec ensures, concerning the received DNS data?

Data origin authentication and data integrity. (A)

What does 'e-mail resolution' in the DNS context primarily determine?

Where to deliver email based on an email address. (C)

What does iterative resolution entail in DNS?

A server that provides only partial information and passes the query on. (B)

What is a key characteristic of recursive resolution?

The server looks for the answer on its own and returns the final response. (D)

What does the Key tag in the RData for DS represent?

The key tag of some DNSKEY RR corresponding to some KSK. (C)

What is the 'Digest type' field in the RData for DS used for?

To identify the algorithm used to construct the digest. (A)

Which of the following is NOT a type of resource record (RR) included in a signed zone?

CNAME RR (C)

What type of key is used to sign authoritative RRsets when signing a zone?

The private key (D)

Where must the DS RR of a zone's validation key be located when linking the zone to a parent zone?

In the parent zone at the delegation point. (C)

What must each owner name in a zone have if it has authoritative data or a delegation point NS RRset?

An NSEC resource record (D)

What is the purpose of including DNSKEY RRs in a signed zone?

To make the zone's public keys available for signature verification. (B)

What is the relationship between a DNSKEY RR and an RRSIG RR?

DNSKEY RRs are used to create the signatures stored in RRSIG RRs (D)

What is the primary purpose of the NSEC record?

To prove the non-existence of a DNS record within a zone (D)

What is a significant side effect of using NSEC records in DNSSEC?

Zone content enumeration by querying for non-existent names (D)

What is the main type of vulnerability introduced by zone enumeration through NSEC records?

Exposure of email addresses for spam and registrant data for WHOIS lookups (A)

What scenario might cause a high cost of maintaining an NSEC RR chain?

Large delegation-centric zones or zones with rapid updates to insecure delegations (B)

What key issue does NSEC3 aim to address that NSEC does not?

Zone enumeration and high costs of delegations to unsigned zones (B)

In an NSEC3 record, what is the purpose of the 'Salt' field?

To provide a random string for the hash function (A)

What does the Opt-Out flag in the NSEC3 record indicate?

Whether NSEC3 is used for all delegations or only secure ones (D)

In the context of DNSSEC, what does 'authenticated DNS response' imply?

The response has a digital signature and is verified from a legitimate source (B)

Flashcards

Zone of authority

A logical grouping of domain names within the DNS name tree.

DNS name tree

A hierarchical structure used to organize domain names on the internet. It consists of a tree-like system with nodes representing domain names.

Authoritative name servers

Servers responsible for providing authoritative information about domain names within a specific zone of authority.

Resource Record (RR)

A specific type of DNS data that stores information about a resource, such as an IP address associated with a domain name.

Resource Records (RR) at each node

Records stored at each node in the DNS name tree, containing information about the domain name and its associated resources.

Root name server

A dedicated server that manages and provides information for the root zone of the DNS name tree.

Delegation between authority zones

The process of transferring information between zones of authority, ensuring consistent data and enabling communication between different parts of the DNS system.

Secondary/slave name server

A DNS name server that provides a copy of the data from a primary server, acting as a backup and ensuring reliability.

NS (Name Server) record

A DNS RR that specifies the name of the authoritative DNS name server for a particular zone.

A (Address) record

A DNS RR that contains a 32-bit IP address. Used for resolving domain names to IP addresses.

MX (Mail Exchanger) record

A DNS RR that specifies the location (device or server) responsible for handling emails.

DNS Name Resolution

The process of finding the IP address associated with a domain name.

Iterative DNS Resolution

A DNS resolution method where the requesting server checks the DNS hierarchy one step at a time until the answer is found.

Recursive DNS Resolution

A DNS resolution method where a specific server handles the entire resolution process, starting from the root.

Reverse Name Resolution

A type of resolution where a domain name is determined from an IP address - the opposite of standard name resolution.

Email resolution

A type of resolution where the recipient's email server is determined from the email address.

Canonical Ordering of DNS Names

The process of arranging DNS names hierarchically according to their labels, treating uppercase letters as lowercase, with the rightmost label being sorted first and continuing towards the left for identical labels. This ensures consistent ordering for DNS operations.

Duplicate RRs in Canonical Form

A protocol error occurs when a DNS server encounters duplicate Resource Records (RRs) within a set while attempting to organize them in canonical order. It forces the server to either treat this as a protocol error or delete duplicate records for accurate calculations.

Canonical Ordering of Resource Records (RRs)

A method for arranging Resource Records (RRs) with the same owner name, class, and type. It treats the RDATA portion as an unsigned octet sequence, prioritizing absence of octets over zero values. Duplicate RRs are handled as protocol errors or removed for error correction.

Left-Justified Unsigned Octet Sequence

A left-justified unsigned octet sequence without any values for non-existent octets, used for sorting purposes. This is a way to represent DNS data in a standard format for efficient comparison and ordering.

RRset (Resource Record Set)

A collection of DNS Resource Records (RRs) related to the same domain name, class, and type. This set of records is sorted according to the canonical RDATA ordering for consistency and accuracy.

What is DNSsec?

DNSsec is an extension of DNS that adds data origin authentication and data integrity protection. This means that a resolver can verify the source of the data and ensure it hasn't been tampered with.

What are some common DNS vulnerabilities?

DNS vulnerabilities like DNS snooping, DNS ID hacking, and DNS cache poisoning exploit DNS's lack of security, allowing attackers to intercept or manipulate DNS data.

What is an RRSIG record?

RRSIG (RR Signature) stores a digital signature for a set of resource records, allowing verification of their authenticity and origin.

What is a DNSKEY record?

DNSKEY (DNS public KEY) stores the public key used to verify the digital signature on RRSIG records.

What is an NSEC/NSEC3 record?

NSEC/NSEC3 (Next SECure) records are used to prove that a specific resource record does not exist. They help prevent attackers from creating fake records.

What is a DS record?

DS (Delegation Signer) records store a cryptographic hash of a public key that is used to verify a zone's signature. It acts as a reference for delegation.

What are the new RR types used in DNSsec?

DNSsec uses four new types of Resource Records (RRs) to ensure data authentication and integrity: RRSIG, DNSKEY, NSEC, and DS.

What led to the development of DNSsec?

After Bellovin's paper exposed serious DNS vulnerabilities, the need for DNSsec (DNS Security Extensions) became critical.

Zone Validation Key (KSK)

A DNSKEY RR that verifies the DNSKEY RRs for a zone and is used to sign the zone.

Key Signing Key (KSK)

A DNSKEY RR that validates a specific DNSKEY RR in a parent zone.

DS Record (DS RR)

A resource record (RR) that contains information about a DNSKEY RR. It includes the key tag, algorithm, and digest type, which are used to verify the DNSKEY RR.

DNSKEY RR (DNSKEY Resource Record)

A resource record (RR) that allows for a zone to be signed. Containing information about the zone's public key, such as the key tag, algorithm, and public key digest. It also includes a signature.

RRSIG RR (RRSIG Resource Record)

A resource record (RR) that validates a specific resource record (RR) within a zone. It contains information about the key used to sign the resource record, the algorithm used, and a signature.

NSEC RR (NSEC Resource Record)

A resource record (RR) that describes the domain name and its associated resources, and is associated with the zone's DNSKEY RR to ensure authenticity.

Zone signing

A process that involves including DNSKEY RRs, RRSIG RRs, NSEC RRs, and optionally DS RRs in a zone to ensure authenticity and integrity.

Zone validation

A process of verifying if data contained within a zone is authentic and intact.

NSEC record

A DNS record that indicates the existence of a particular domain. It ensures that a specific domain name is not used for fraudulent or unauthorized purposes.

Zone enumeration

A technique that exploits the NSEC record to list all domain names in a zone. This can be used for spamming or obtaining registry information.

Authenticated DNS response

A response from a DNS server that verifies the information received is authentic.

DNSsec

A security standard for DNS, allowing for the verification of DNS data and the prevention of spoofing.

DS record

A record type in DNS that provides a digital signature for a specific domain. This confirms the integrity of the domain's data.

NSEC3

A security enhancement for DNS that addresses zone enumeration vulnerabilities and improves the efficiency of delegation.

NSEC record

A record type that lists all the domain names in a zone, sorted alphabetically. It's used for security purposes.

Delegation in DNS

The process of transferring information from a parent zone to a child zone. This ensures that DNS servers know how to reach a specific domain.

Study Notes

Security Extensions for DNS (DNSsec)

• DNSsec is a security extension for the Domain Name System (DNS).
• DNS is a hierarchical and decentralized naming system for internet domains, functioning like a phone book for the Internet.
• Introduced in the early 1980s by Paul V. Mockapetris.
• Formalized with the publication of RFC 882 and RFC 883 in 1983, followed by RFC 1034 and RFC 1035 in 1986.
• DNS has three major components:
  • Domain name space (and resource records), a tree-like structure.
  • Name servers, which hold information about the domain structure.
  • Resolvers, programs that extract information from name servers.
• Zones of authority are used for logical organization of domain names.
• Zones are obtained by dividing DNS name tree nodes into contiguous groups.
• A zone is managed by one or more authoritative name servers.
• Resource Records (RRs) are added, changed, or deleted when DNS information changes.
• Every node in the DNS name tree has associated RRs, depending on the node type.
• RR format includes Name, Type, Class, TTL, RDATA length, and RDATA.
• TTL is time-to-live, used by resolvers for caching RRs.

DNS RR Types

• SOA (Start of Authority) RR:

  • Every zone has one SOA RR.
  • Contains default TTL, primary name server, and administrator email.

• NS (Name Server) RR:

  • Specifies authoritative DNS name servers for the zone.
  • Each zone requires an NS RR that points to its primary name server.

• A (Address) RR:

  • Stores the 32-bit IP address.

• MX (Mail eXchanger) RR:

  • Specifies the location responsible for handling emails.

DNS Resolution

• Standard name resolution: Determines the IP address of a domain name.
• Reverse name resolution: Determines the domain name associated with an IP address.
• Email resolution: Determines where to send emails based on the email address.
• DNS resolution techniques: Iterative and Recursive.

Resolvers and DNS Transport

• Types of resolvers:

  • Full resolver
  • Stub resolver

• DNS Transport:

  • Uses UDP for conventional queries.
  • Uses TCP for zone transfer.

What is DNSSEC?

• DNSSEC (DNS Security Extensions) enhances DNS security.
• Introduced after Bellovin's paper detailing DNS vulnerabilities in 1995, became a critical issue to address.
• DNSsec standards: RFC 4033, 4034, and 4035 (2005).
• DNSSEC adds:
  • Data origin authentication: Verifies data source.
  • Data integrity protection: Checks if data wasn't modified in transit.

DNSSEC Specific Elements

• DNSSEC uses four new RR types:
  • RRSIG (RR Signature): Digital signature over an RRset.
  • DNSKEY: Public key for digital signature verification.
  • NSEC/NSEC3: Used to prove something doesn't exist.
  • DS (Delegation Signer): Hash value of a verification public key.

DNSSEC Signature Algorithms (RFC 8624)

• Various algorithms for signing and verification.
• SHA-256 is a widely used and strong algorithm.
• GOST R 34.11-94 was superseded by GOST R 34.11-2012 in RFC 6986.

Canonical Ordering of DNS Names (RFC 4034)

• Defines a standard way to order DNS names for DNSSEC purposes, treating labels as octet strings, with uppercase letters treated as lowercase.

Canonical RR Ordering in an RRset (RFC 4034)

• RRs with the same owner, class, and type are sorted, treating RDATA as a left-justified octet string.
• Duplicate RRs are handled as protocol errors.

RData for DNSKEY

• Flags: Differentiate key types (e.g., zone signing vs. validation).
• Protocol: Value 3 for valid keys.
• Algorithm: Identifies the public key's algorithm.
• Public key: Holds the public key material.

ZSK vs. KSK

• ZSK (Zone Signing Key): Signs the zone.
• KSK (Key Signing Key): Validates ZSKs and creates a trust chain.
• Flags 7 and 15 (in the byte field of Flags) identify if a key is used for signing or validating ZSKs.

RData for RRSIG

• Original TTL: The TTL of the covered RRset.
• Signer's name: Contains the zone name.
• Key tag: Key tag value from the corresponding DNSKEY validation RR.

RData for NSEC

• Next domain name: The next owner name in the canonical zone ordering for authoritative data.
• Type bit maps: Identifies the RRset types at the NSEC RR's owner name.

RData for DS

• Key tag: Represents the key tag from a DNSKEY RR.
• Algorithm: The algorithm of some DNSKEY RR.
• Digest type: Algorithm used for digest.
• Digest: Digest of the DNSKEY RR.

Zone Signing

• Procedure for adding DNSKEY, RRSIG, NSEC, and DS RRs to a zone while adhering to several rules for generating and verifying keys.
• Zone's admin generates public/private keys.
• Private key is used to sign authoritative RR sets.
• A corresponding DNSKEY RR is included in the zone.
• Zone validation keys (and its verification key) must be signed by a KSK, and its data included in the parent zone at the point of delegation.
• Each owner name requiring authoritative data, or a delegation-point NS RRset, must have an NSEC record.

Resolving and Authenticated DNS Response

• In class, examples using DNSsec_Example1.pdf (for zone signing) and DNSsec_Example2.pdf (for resolving and responses) will be used.

Zone Enumeration

• NSEC RR lists names ordered canonically between two names.
• Complete set of NSEC records lists all names within the zone.
• Querying for non-existent names enumerates the zone content.
• Enumeration used for spam and WHOIS queries.

Delegation to Unsigned Zones

• Cost of secure delegation high due to large zones and rapidly updated insecure delegations.
• Maintaining NSEC RR chains can be extremely expensive.

RData for NSEC3

• Designed to address issues of zone enumeration and secure delegation to unsigned zones.
• Flags include an Opt-Out flag, indicating if the NSEC3 RR applies to all delegations or only secure ones.

Concluding Remarks

• DNSSEC is a critical Internet service.
• ICANN supports DNSSEC deployment through capacity-building programs.
• Only 30% of the world has achieved DNSSEC validation.
• Saudi Arabia, Finland, Iceland, Norway, and Sweden have high validation rates.
• DNSSEC prevents cache poisoning attacks.
• Slow adoption is partly due to lack of knowledge and requirements.