Product Collateral

eBook - DNS Fundamentals From a Technical Perspective

Learn all you need to know about email best practices, deliverability, and tools with email whitepapers and ebooks.

Issue link:

Contents of this Issue


Page 11 of 12

@dyn page 12 Ebook | DNS Fundamentals Each resolver around the world is configured to point to an initial trust anchor of the Root public KSK. The private Root KSK is used to sign the Root RRSIG of the DNSKEY RRset. Because this signing process is so critical to the security of the DNS, no single individual, organization, or nation was trusted to perform the signing. Instead the signing actually occurs in person, in an elaborate key signing ceremony. Interestingly, the KSK itself has stayed the same since it was first used in 2010. The KSK was supposed to be rolled over in October 2017, but has been postponed because there were indications that a "significant number" of resolvers are not ready. So stay tuned for 2018 updates. But wait! There's more! Another way in which malicious actors may spoof a zone is to pretend to have access to a host that doesn't exist within a zone. In this scenario, the response will be the absence of a record, not an explicit declaration that the record doesn't exist. This has been documented as a method for spoofing. To combat this, NSEC records which point to the next valid host were created, thereby proving the lack of existence of anything in between. The problem there is that it becomes possible to walk the zone and know everything which does exist. While DNS is public information, and private information shouldn't be published in the first place, this worried people enough to create NSEC3 records which change this into a hash. There is even a proposal for NSEC5 which likely works by wizardry and unicorn dust alone. As we've seen, DNSSEC isn't easy. Wrapping It Up This paper's goal was to provide the information needed to help you better understand how all these pieces fit together. If you have questions as you find yourself staring down a long block of DNS, contact Dyn. We will be happy to help. If you are interested in reading more, here is a list of all the DNS Requests for Comment (RFC) at the Internet Systems Consortium (ISC) who write BIND, the most widely used DNS software on the internet. For DNS terminology specifics, RFC 7719 has the definitive list. And if you're interested in learning more about why it's time to rethink DNS, visit

Articles in this issue

Links on this page

view archives of Product Collateral - eBook - DNS Fundamentals From a Technical Perspective