With DNSSEC (Domain Name System Security Extensions) the authenticity and integrity of the data transmitted in the Domain Name System should be ensured by securing resource records with digital certificates. The procedure, standardized in several RFCs, is based on private and public keys for signing and checking the DNS information. DNSSEC's clear goal is to prevent manipulation of the name resolution and to fix the vulnerability of the unprotected DNS transmission.
DNSSEC ensures that the DNS data has not been manipulated and cannot come from any other source. The private keys are used to digitally sign the resource records. The signature can then be checked by the recipients of the data using the public key. In order for the security mechanisms of the Domain Name System Security Extensions to work, DNSSEC must be supported by the provider of the DNS information and by the requesting client system.
This is not encrypted DNS data, which is still unencrypted, but rather signed data such as Resource Records. This ensures that the DNS data comes from the DNS server to which the key belongs.
A DNSKEY-RR is constructed as shown.
This is the name of the owner of the key.
This is only permitted in the "IN" type.
This is additional information such as host, zone or key signature keys. DNSKEY uses 256 for zone and 257 for key.
The values 1 (TLS), 2 (eMail), 3 (DNSSEC), 4 (IPsec) and 255 apply to all.
The following example shows the structure of the DNSKEY-RR very well.
example.tld IN DNSKEY (
256 ; Zone key
3 ; DNSSEC
7 ; NSEC3-Encryption
) ; ZSK; alg = NSEC3RSASHA1 ; key id = 40385
example.tld. IN DNSKEY (
257 ; Key signature key
3 ; DNSSEC
10 ; RSA/SHA-512-Encryption
^) ; KSK; alg = RSASHA512 ; key id = 64413