


(see "DS Records" button in the DNSSEC Keys dialog). In order to establish a "link of trust" so that other Internet users can verify your keys and signatures, you create a DS-record (delegation signature) containing a cryptographic hash of one of your KSK (see key types below) DNSKEY-records There are no 3rd party certification authorities involved with DNSSEC - you create your own keys (or private/public key sets) - see DNSSEC Keys dialog. RRSIG-records for the records they sign are returned in responses to DNSSEC enabled queries. These (signed) NSEC/NSEC3 records are returned in responses to DNSSEC enabled queries (DO flag set) for non-existing names/types, so that clients can verify the non-existence.įinally, all the DNS records in the zone (including the DNSKEY and NSEC/NSEC3 records) are signed by adding an RRSIG-record for every unique record name and type combination in the zone. Next, an NSEC-record or NSEC3-record is added for each unique record name in the zone (+ a single NSEC3PARAM-record if using NSEC3).Įach NSEC/NSEC3 record lists all the record types that exist for the name that it represents, and points to the next record name in the zone forming a chain between all existing names in the zone. When a zone is DNSSEC signed, a number of DNS records are added to the zone (indeed DNSSEC signing a zone can make it many times larger).įirst a DNSKEY-record is added for each key used to sign the zone.ĭNSKEY-records hold the public keys that clients can use the verify signatures.
Simple dns plus key verification#
Its only purpose is verification of data authenticity. The main purpose of this is to protect DNS against falsified information ( DNS spoofing).ĭNSSEC does NOT encrypt or hide anything - all data is still in "clear text".

Similar to digital signatures for e-mail, DNSSEC authenticates that DNS records originate from an authorized sender (DNS server) using private/public key cryptography.
