With DNSSEC (Domain Name System Security Extensions) the authenticity and integrity of the data transmitted in the Domain Name System should be ensured by securing resource records with digital certificates. The procedure, standardized in several RFCs, is based on private and public keys for signing and checking the DNS information. DNSSEC's clear goal is to prevent manipulation of the name resolution and to fix the vulnerability of the unprotected DNS transmission.
DNSSEC ensures that the DNS data has not been manipulated and cannot come from any other source. The private keys are used to digitally sign the resource records. The signature can then be checked by the recipients of the data using the public key. In order for the security mechanisms of the Domain Name System Security Extensions to work, DNSSEC must be supported by the provider of the DNS information and by the requesting client system.
This is not encrypted DNS data, which is still unencrypted, but rather signed data such as Resource Records. This ensures that the DNS data comes from the DNS server to which the key belongs.
A DNSKEY-RR is constructed as shown.
Label
This is the name of the owner of the key.
Class
This is only permitted in the "IN" type.
Type
Logically DNSKEY
Flags
This is additional information such as host, zone or key signature keys. DNSKEY uses 256 for zone and 257 for key.
Protocol
The values 1 (TLS), 2 (eMail), 3 (DNSSEC), 4 (IPsec) and 255 apply to all.
Encryption method
Key
The following example shows the structure of the DNSKEY-RR very well.
example.tld IN DNSKEY (
256 ; Zone key
3 ; DNSSEC
7 ; NSEC3-Encryption
AwEAAauXGNQMitXTRPKAkme9Gs7MvrHgNeNJ
ddafYO7F5i/TsLre8zitWD/+bJZXx0Vu89QT
jKX9zQwhSRegwFvH4gfe4Hvo0SHt9YsMGwA1
LDW9RfFXDCGWEemDnAxX0NV9330BSYyQ2fVr
PpJoyB+et/BrLi/IzBrrFXB+O24jkBYWTK0k
hA9c1lAk//nWEVstarXZgmz2WlF4//aPUpGq
OnDLjbv1gXo3vUfcSBN2EcAaXAyTSGTaJUA6
I6BEFbN1id2gbFI/RsVa0dYo3imvn46IgroV
mDhx+LbKlMq71GhePyaWzaZX8Bmi8Y9IxlJV
5+UizMqi3ZvO0yn19+nxfb8=
) ; ZSK; alg = NSEC3RSASHA1 ; key id = 40385
example.tld. IN DNSKEY (
257 ; Key signature key
3 ; DNSSEC
10 ; RSA/SHA-512-Encryption
AwEAAaoJiFk+Xj+9vRrKq2pdaFkwCKaGy1QN
Mbn/aQYTG5czj9aO/o400mS8YfEMGC3U+AY0
INliajs7sfeVuuFvJYbmkLpJGIbF1/3Tr/8j
zENJSEqxCh6y5iFz7HdgMat8+TekfyaDf30r
eM61l8G1BN3fcaFHf2DRv0+AkD/eY/kdId+n
gvQ1ifzk3tZNxIjeClEdQ7D2OTAazagcDl+v
SKWhzo3iSwyjMnboAo0RdHMKSuxgSDkMOch9
DIih5SVKRZy5zq9kJfuCPpgVAnjjB2oZ0K2r
pKu2FPHhV5zV9T2m2cBwYpldTobuAN8Ouj8m
72y4RdrI5ik1GOA4HzlUg0zKnaLhL1Y+Mxo2
Qz9hJMJ+rKifpcY72e5/FX9addolaqOjBX44
FvHJWaxcAjVVqFfPfgkMLMtcJY0YVMr694rN
ecfAFfVhn8UwQk9epq1xDI3D1pH8/HzmEdM7
lK9FLIx++fDtkpXqV7f5dorwm92kGZpdtZ/L
eCnFGpfLNeu4heQJ587pnwapj/wbNUF4IPuT
kuEpKJReQzWQ0gWp0yU3kDn7vcXD7Eee+3At
oobq6wwOsrkUXl1FVaF3rOm6L82S3dvtB/SS
uHCFjcdy33tlv1nE5cjaBZHRChKTMN4QNqRm
8l1RgnDq/2GvrxmSPXfGKyWmfjvSJot4EX2i
97ER
^) ; KSK; alg = RSASHA512 ; key id = 64413