The DNS Security Extensions (DNSSEC) are a collection of new resource records and protocol modifications that add data origin authentication and data integrity to the DNS. Which of the following statements about DNSSEC is correct? (Wentz QOTD)
A. DNSSEC enabled queries and responses are protected by secret-key cryptography.
B. DNSSEC enabled queries and responses are encrypted by private-key cryptography.
C. DNSSEC enabled queries and responses are not encrypted.
D. DNSSEC enabled queries and responses are protected from eavesdropping attacks
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. DNSSEC enabled queries and responses are not encrypted.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
DNSSEC ensures the integrity of DNS data using digital signature, while DNS over HTTPS (DoH) or DNS over TLS (DoT) protects the confidentiality.
The following are some of the most crucial DNSSEC resource records (RR):
- DS (Delegation Signer)
- DNSKEY (DNS Public Key)
- RRSIG (Resource Record Signature)
DS (Delegation Signer)
A DS RR contains a hash of a child zone’s KSK and can be used as a trust anchor in some security-aware resolvers and to create a secure delegation point for a signed subzone in DNS servers. As illustrated in Figure 22.1, the DS RR in the parent zone corpxyz.com contains a hash of the KSK of the child zone sales.corpxyz.com, which in turn has a DS record that contains a hash of the KSK of its child zone, nw.sales.corpxyz.com.
DNSKEY (DNS Public Key)
When an authoritative name server digitally signs a zone, it typically generates two key pairs, a zone-signing key (ZSK) pair and a key-signing key (KSK) pair.
The name server uses the private key of the ZSK pair to sign each RRset in a zone. (An RRset is a group of resource records that are of the same owner, class, and type.) It stores the public key of the ZSK pair in a DNSKEY record.
The name server then uses the private key of the KSK pair to sign all DNSKEY records, including its own, and stores the corresponding public key in another DNSKEY record.
As a result, a zone typically has two DNSKEY records; a DNSKEY record that holds the public key of the ZSK pair, and another DNSKEY record for the public key of the KSK pair.
RRSIG (Resource Record Signature)
A signed zone has multiple RRsets, one for each record type and owner name. (The owner is the domain name of the RRset.) When an authoritative name server uses the private key of the ZSK pair to sign each RRset in a zone, the digital signature on each RRset is stored in an RRSIG record. Therefore, a signed zone contains an RRSIG record for each RRset.
- DNSSEC – A Review
- DNSSEC – What Is It and Why Is It Important?
- Domain Name System Security Extensions
- How DNSSEC Works
- DNSSEC: HOW IT WORKS & KEY CONSIDERATIONS
- RFC 4033: DNS Security Introduction and Requirements
- RFC 4034: Resource Records for the DNS Security Extensions
- RFC 4035: Protocol Modifications for the DNS Security Extensions
- DNS over HTTPS
- How to configure DoT/DoH
- DNSKEY Resource Records
DNS 安全擴展 (DNSSEC) 是新資源記錄和協議修改的集合，可為 DNS 添加數據源身份驗證和數據完整性。 下列關於 DNSSEC 的說法是正確的？ (Wentz QOTD)