CISSP PRACTICE QUESTIONS – 20210809

Effective CISSP Questions

The DNS Security Extensions (DNSSEC) are a collection of new resource records and protocol modifications that add data origin authentication and data integrity to the DNS. Which of the following statements about DNSSEC is correct? (Wentz QOTD)
A. DNSSEC enabled queries and responses are protected by secret-key cryptography.
B. DNSSEC enabled queries and responses are encrypted by private-key cryptography.
C. DNSSEC enabled queries and responses are not encrypted.
D. DNSSEC enabled queries and responses are protected from eavesdropping attacks

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. DNSSEC enabled queries and responses are not encrypted.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

DNSSEC Resource Records
DNSSEC Resource Records (Source: InfoBlox)

DNSSEC ensures the integrity of DNS data using digital signature, while DNS over HTTPS (DoH) or DNS over TLS (DoT) protects the confidentiality.

The following are some of the most crucial DNSSEC resource records (RR):

  • DS (Delegation Signer)
  • DNSKEY (DNS Public Key)
  • RRSIG (Resource Record Signature)

DS (Delegation Signer)

A DS RR contains a hash of a child zone’s KSK and can be used as a trust anchor in some security-aware resolvers and to create a secure delegation point for a signed subzone in DNS servers. As illustrated in Figure 22.1, the DS RR in the parent zone corpxyz.com contains a hash of the KSK of the child zone sales.corpxyz.com, which in turn has a DS record that contains a hash of the KSK of its child zone, nw.sales.corpxyz.com.

Source: InfoBlox

DNSKEY (DNS Public Key)

When an authoritative name server digitally signs a zone, it typically generates two key pairs, a zone-signing key (ZSK) pair and a key-signing key (KSK) pair.

The name server uses the private key of the ZSK pair to sign each RRset in a zone. (An RRset is a group of resource records that are of the same owner, class, and type.) It stores the public key of the ZSK pair in a DNSKEY record.

The name server then uses the private key of the KSK pair to sign all DNSKEY records, including its own, and stores the corresponding public key in another DNSKEY record.

As a result, a zone typically has two DNSKEY records; a DNSKEY record that holds the public key of the ZSK pair, and another DNSKEY record for the public key of the KSK pair.

Source: InfoBlox

RRSIG (Resource Record Signature)

A signed zone has multiple RRsets, one for each record type and owner name. (The owner is the domain name of the RRset.) When an authoritative name server uses the private key of the ZSK pair to sign each RRset in a zone, the digital signature on each RRset is stored in an RRSIG record. Therefore, a signed zone contains an RRSIG record for each RRset.

Source: InfoBlox

Reference


DNS 安全擴展 (DNSSEC) 是新資源記錄和協議修改的集合,可為 DNS 添加數據源身份驗證和數據完整性。 下列關於 DNSSEC 的說法是正確的? (Wentz QOTD)
A. 啟用DNSSEC的查詢和響應受密鑰(secret-key)加密保護。
B. 啟用DNSSEC的查詢和響應通過私鑰(private-key)加密進行加密。
C. 啟用DNSSEC的查詢和響應未加密。
D. 啟用DNSSEC的查詢和響應免受竊聽攻擊


1 thought on “CISSP PRACTICE QUESTIONS – 20210809

  1. Pingback: DNS 安全擴展 (DNSSEC) – Choson資安大小事

Leave a Reply