0

I want to know the purpose of DNSSEC, what problem does it really try to solve? I think DNSSEC can easily be spoofed by inserting a non-DNSSEC DNS server into the network that serves a non-DNSSEC copy of the zone. But maybe that is not the problem that DNSSEC tries to solve?

With DNSSEC, DNS servers use public private key encryption to sign and check each others' zones. This may help for instance against DNS cache poisoning. Data gets added to the cache only after the signature of the DNS reponse is checked.

Nice.

But how do clients verify they are using DNS secured by DNSSEC? If you try to prevent DNS cache poisoning but not preventing DNS server insertion, is DNSSEC even worth the trouble?

I have a domain that is fully protected by DNSSEC according to https://dnssec-analyzer.verisignlabs.com/. In my company DNS (or restaurant wifi) I added a copy of this domain (or 'zone') to the network DNS server. This local DNS zone is NOT using DNSSEC. The clients in the company network (or restaurant wifi) are instructed to use the company DNS by the company DHCP server. Now if I change records in the copied zone on the company DNS, the clients simply follow these changes without warnings or complaints. The end users may believe they are safe because they have read in the documentation that my zone is protected by DNSSEC, but in reality they are using a spoofed zone on my company network (or the restaurant wifi) and the are not protected at all?

anneb
  • 196
  • 2
  • 8
  • 3
    This question is better suited for [security.se]. – Gerald Schneider Nov 27 '20 at 14:26
  • That would be a poor implementation of DNSSEC. – Greg Askew Nov 27 '20 at 15:41
  • "secured" is not the right word as there is no encryption required, unlike HSTS where you visit the site once or you request an HSTS preload for chrome (which would eventually be included in the browser, knowing that a specific site is expected to ALWAYS use HTTPS), DNS does not have this (yet) nor would it be provided by DNSSEC, DNSSEC is only to sign, to ensure the record you receive is not manipulated, but your resolver still needs to know it's suppose to be signed (provided by the upstream root server, for .com or whomever) – Jacob Evans Nov 27 '20 at 16:30

1 Answers1

3

DNSSEC allows you to ensure that the DNS data that you receive is unchanged compared to what the domain-owner published (for signed zones). This validation can be done at any stage in the querying path.

For this to work from the client point of view, you would ideally validate locally (not that common today but far from unheard of) or have a secure network path that can bridge the gap to a trusted validating resolver.
This secure network path could mean DNS-over-TLS, DNS-over-HTTPS, DNSCrypt or to some extent also a local network that you can at least somewhat trust (weaker, but still useful for a subset of attack scenarios).

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • My ISP does DNSSEC validation on their recursive servers. What a good service! – Esa Jokinen Nov 27 '20 at 15:32
  • @EsaJokinen do you really trust your ISP though? because [you shouldn't](https://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/). https://groups.google.com/a/chromium.org/g/blink-dev/c/c5YfiST8m7g/m/aEqH9_8g7uwJ is interesting reading here. – strugee Mar 07 '22 at 22:51
  • @strugee: It's all about the threat model. There's always certain trust to your ISP. With a higher level of paranoia, the ISP could easily spoof the routes to the validated IP addresses, so what's the point fo validating DNSSEC in the first place? An ISP validating the DNSSEC for their customers is protecting the users that don't even know such technology exists. – Esa Jokinen Mar 08 '22 at 07:27