DNSSEC Implementation Quiz

Questions and Answers

According to RFC 4034, how are DNS owner names ordered when implementing DNSSEC?

By treating individual labels as unsigned, left-justified octet strings, starting with the rightmost label. (correct)

By sorting names based on the number of labels, with shorter names preceding longer ones.

By comparing the complete domain name as a single ASCII string, ignoring case.

By treating individual labels as signed, right-justified octet strings, starting with the leftmost label.

In DNSSEC's canonical ordering, how is the comparison made when sorting octet strings within domain name labels?

The comparison is case-sensitive and compares octet strings lexicographically, ignoring the numerical values.

The comparison is done using an unsigned, left-justified method, where the absence of an octet sorts before a zero-value octet. (correct)

The comparison is done using a signed, right-justified method, where larger values come before smaller values.

The comparison is case-insensitive for the entire label, treating uppercase and lowercase as equal.

When sorting DNS names for DNSSEC, how are uppercase US-ASCII letters treated?

They are treated as their corresponding lowercase letters. (correct)

They are treated as having a higher precedence than lowercase letters.

They are ignored during the sorting process.

They are treated as having a lower precedence than lowercase letters.

During canonical RR ordering within an RRset for DNSSEC, what is the primary sorting criteria when RRs have the same owner name, class, and type?

By the content of the RDATA portion, treated as a left-justified unsigned octet sequence. (B)

What happens if a DNSSEC implementation detects duplicate RRs within an RRset when putting it into canonical form?

The implementation must treat this as a protocol error or remove all but one of the duplicate RRs. (D)

What is the relationship between domain names and zones in the DNS system?

Domain names are logical, while zones are physical groupings. (C)

How are zones of authority created in the DNS system?

By making cuts between adjacent nodes of the DNS name tree. (C)

What uniquely identifies a zone of authority?

The domain name of the highest level node in the zone. (B)

Which of the following best describes the relationship between zones of authority?

Zones are non-overlapping. (D)

How are zones typically managed in the DNS system?

By one or more pairs of authoritative name servers (primary/secondary). (A)

What is a valid description of the relationship between name servers and zones of authority?

A name server may be authoritative for multiple zones. (D)

What are resource records associated with in the DNS system?

Nodes in the DNS name tree. (B)

According to the provided diagram, which of these represents a delegation between authority zones?

The connection between 'edu' and 'cs'. (D)

What primary security issue prompted the development of DNSsec?

Vulnerabilities allowing for DNS snooping, ID hacking, and cache poisoning. (D)

What is the core function of the RRSIG record in DNSsec?

It provides a digital signature for a set of resource records. (D)

What is the primary function of an NS record in DNS?

To specify the server responsible for a domain or zone. (C)

Which functionality is provided by DNSSEC regarding DNS data?

Data origin authentication. (A)

What is the primary role of the DNSKEY record within DNSsec?

To store a domain's public key for digital signature verification. (A)

What is the purpose of an A record in DNS?

To map a domain name to its IP address. (C)

What is the function of an MX record?

To direct e-mail to the correct mail server. (B)

What is the function of NSEC/NSEC3 records in DNSsec?

To prove that a specific domain or record does not exist. (B)

Which of the following best describes the purpose of the DS record in DNSsec?

Storing a hash value of a public key for verification. (A)

What is the main goal of a standard name resolution?

To determine the IP address for a domain name. (B)

According to the provided text, which year were the first DNSsec standards introduced?

2005 (C)

Which process involves determining the domain name associated with an IP address?

Reverse name resolution. (A)

What is the primary security concept that DNSsec ensures, concerning the received DNS data?

Data origin authentication and data integrity. (A)

What does 'e-mail resolution' in the DNS context primarily determine?

Where to deliver email based on an email address. (C)

What does iterative resolution entail in DNS?

A server that provides only partial information and passes the query on. (B)

What is a key characteristic of recursive resolution?

The server looks for the answer on its own and returns the final response. (D)

What does the Key tag in the RData for DS represent?

The key tag of some DNSKEY RR corresponding to some KSK. (C)

What is the 'Digest type' field in the RData for DS used for?

To identify the algorithm used to construct the digest. (A)

Which of the following is NOT a type of resource record (RR) included in a signed zone?

CNAME RR (C)

What type of key is used to sign authoritative RRsets when signing a zone?

The private key (D)

Where must the DS RR of a zone's validation key be located when linking the zone to a parent zone?

In the parent zone at the delegation point. (C)

What must each owner name in a zone have if it has authoritative data or a delegation point NS RRset?

An NSEC resource record (D)

What is the purpose of including DNSKEY RRs in a signed zone?

To make the zone's public keys available for signature verification. (B)

What is the relationship between a DNSKEY RR and an RRSIG RR?

DNSKEY RRs are used to create the signatures stored in RRSIG RRs (D)

What is the primary purpose of the NSEC record?

To prove the non-existence of a DNS record within a zone (D)

What is a significant side effect of using NSEC records in DNSSEC?

Zone content enumeration by querying for non-existent names (D)

What is the main type of vulnerability introduced by zone enumeration through NSEC records?

Exposure of email addresses for spam and registrant data for WHOIS lookups (A)

What scenario might cause a high cost of maintaining an NSEC RR chain?

Large delegation-centric zones or zones with rapid updates to insecure delegations (B)

What key issue does NSEC3 aim to address that NSEC does not?

Zone enumeration and high costs of delegations to unsigned zones (B)

In an NSEC3 record, what is the purpose of the 'Salt' field?

To provide a random string for the hash function (A)

What does the Opt-Out flag in the NSEC3 record indicate?

Whether NSEC3 is used for all delegations or only secure ones (D)

In the context of DNSSEC, what does 'authenticated DNS response' imply?

The response has a digital signature and is verified from a legitimate source (B)

Study Notes

Security Extensions for DNS (DNSsec)

• DNSsec is a security extension for the Domain Name System (DNS).
• DNS is a hierarchical and decentralized naming system for internet domains, functioning like a phone book for the Internet.
• Introduced in the early 1980s by Paul V. Mockapetris.
• Formalized with the publication of RFC 882 and RFC 883 in 1983, followed by RFC 1034 and RFC 1035 in 1986.
• DNS has three major components:
  • Domain name space (and resource records), a tree-like structure.
  • Name servers, which hold information about the domain structure.
  • Resolvers, programs that extract information from name servers.
• Zones of authority are used for logical organization of domain names.
• Zones are obtained by dividing DNS name tree nodes into contiguous groups.
• A zone is managed by one or more authoritative name servers.
• Resource Records (RRs) are added, changed, or deleted when DNS information changes.
• Every node in the DNS name tree has associated RRs, depending on the node type.
• RR format includes Name, Type, Class, TTL, RDATA length, and RDATA.
• TTL is time-to-live, used by resolvers for caching RRs.

DNS RR Types

• SOA (Start of Authority) RR:

  • Every zone has one SOA RR.
  • Contains default TTL, primary name server, and administrator email.

• NS (Name Server) RR:

  • Specifies authoritative DNS name servers for the zone.
  • Each zone requires an NS RR that points to its primary name server.

• A (Address) RR:

  • Stores the 32-bit IP address.

• MX (Mail eXchanger) RR:

  • Specifies the location responsible for handling emails.

DNS Resolution

• Standard name resolution: Determines the IP address of a domain name.
• Reverse name resolution: Determines the domain name associated with an IP address.
• Email resolution: Determines where to send emails based on the email address.
• DNS resolution techniques: Iterative and Recursive.

Resolvers and DNS Transport

• Types of resolvers:

  • Full resolver
  • Stub resolver

• DNS Transport:

  • Uses UDP for conventional queries.
  • Uses TCP for zone transfer.

What is DNSSEC?

• DNSSEC (DNS Security Extensions) enhances DNS security.
• Introduced after Bellovin's paper detailing DNS vulnerabilities in 1995, became a critical issue to address.
• DNSsec standards: RFC 4033, 4034, and 4035 (2005).
• DNSSEC adds:
  • Data origin authentication: Verifies data source.
  • Data integrity protection: Checks if data wasn't modified in transit.

DNSSEC Specific Elements

• DNSSEC uses four new RR types:
  • RRSIG (RR Signature): Digital signature over an RRset.
  • DNSKEY: Public key for digital signature verification.
  • NSEC/NSEC3: Used to prove something doesn't exist.
  • DS (Delegation Signer): Hash value of a verification public key.

DNSSEC Signature Algorithms (RFC 8624)

• Various algorithms for signing and verification.
• SHA-256 is a widely used and strong algorithm.
• GOST R 34.11-94 was superseded by GOST R 34.11-2012 in RFC 6986.

Canonical Ordering of DNS Names (RFC 4034)

• Defines a standard way to order DNS names for DNSSEC purposes, treating labels as octet strings, with uppercase letters treated as lowercase.

Canonical RR Ordering in an RRset (RFC 4034)

• RRs with the same owner, class, and type are sorted, treating RDATA as a left-justified octet string.
• Duplicate RRs are handled as protocol errors.

RData for DNSKEY

• Flags: Differentiate key types (e.g., zone signing vs. validation).
• Protocol: Value 3 for valid keys.
• Algorithm: Identifies the public key's algorithm.
• Public key: Holds the public key material.

ZSK vs. KSK

• ZSK (Zone Signing Key): Signs the zone.
• KSK (Key Signing Key): Validates ZSKs and creates a trust chain.
• Flags 7 and 15 (in the byte field of Flags) identify if a key is used for signing or validating ZSKs.

RData for RRSIG

• Original TTL: The TTL of the covered RRset.
• Signer's name: Contains the zone name.
• Key tag: Key tag value from the corresponding DNSKEY validation RR.

RData for NSEC

• Next domain name: The next owner name in the canonical zone ordering for authoritative data.
• Type bit maps: Identifies the RRset types at the NSEC RR's owner name.

RData for DS

• Key tag: Represents the key tag from a DNSKEY RR.
• Algorithm: The algorithm of some DNSKEY RR.
• Digest type: Algorithm used for digest.
• Digest: Digest of the DNSKEY RR.

Zone Signing

• Procedure for adding DNSKEY, RRSIG, NSEC, and DS RRs to a zone while adhering to several rules for generating and verifying keys.
• Zone's admin generates public/private keys.
• Private key is used to sign authoritative RR sets.
• A corresponding DNSKEY RR is included in the zone.
• Zone validation keys (and its verification key) must be signed by a KSK, and its data included in the parent zone at the point of delegation.
• Each owner name requiring authoritative data, or a delegation-point NS RRset, must have an NSEC record.

Resolving and Authenticated DNS Response

• In class, examples using DNSsec_Example1.pdf (for zone signing) and DNSsec_Example2.pdf (for resolving and responses) will be used.

Zone Enumeration

• NSEC RR lists names ordered canonically between two names.
• Complete set of NSEC records lists all names within the zone.
• Querying for non-existent names enumerates the zone content.
• Enumeration used for spam and WHOIS queries.

Delegation to Unsigned Zones

• Cost of secure delegation high due to large zones and rapidly updated insecure delegations.
• Maintaining NSEC RR chains can be extremely expensive.

RData for NSEC3

• Designed to address issues of zone enumeration and secure delegation to unsigned zones.
• Flags include an Opt-Out flag, indicating if the NSEC3 RR applies to all delegations or only secure ones.

Concluding Remarks

• DNSSEC is a critical Internet service.
• ICANN supports DNSSEC deployment through capacity-building programs.
• Only 30% of the world has achieved DNSSEC validation.
• Saudi Arabia, Finland, Iceland, Norway, and Sweden have high validation rates.
• DNSSEC prevents cache poisoning attacks.
• Slow adoption is partly due to lack of knowledge and requirements.

Description

Test your knowledge on DNSSEC and its implementation according to RFC 4034. This quiz covers topics such as canonical ordering, zone management, and the relationship between domain names and zones. Perfect for students and professionals looking to deepen their understanding of DNS security mechanisms.