This chapter covers DNSSEC (Domain Name System Security Extensions) and DNS security, a critical topic for the SY0-701 exam under Objective 4.4 (Security Operations). You will learn how DNSSEC protects against DNS cache poisoning and other attacks by adding cryptographic signatures to DNS data. Understanding DNSSEC is essential for any security professional, as DNS is a foundational internet service frequently targeted by attackers. This chapter maps directly to exam objectives and will prepare you to identify, deploy, and troubleshoot DNSSEC in enterprise environments.
Jump to a section
Imagine you're a business owner sending a critical contract through the postal service. You want the recipient to trust that the envelope hasn't been opened or tampered with, and that it truly came from you. DNSSEC works like a tamper-proof certified mail system. First, you sign the contract with a unique wax seal (your private key) that only you possess. The post office then places the sealed envelope inside a larger, certified envelope that also gets its own wax seal (the zone-signing key). This process continues up to the root post office, which has a master seal (root trust anchor) that everyone knows and trusts. When the recipient receives the envelope, they verify each seal in reverse order, starting from the master seal down to your personal wax seal. If any seal is broken or doesn't match, the recipient knows the document is compromised. In DNSSEC, DNS resolvers verify digital signatures along the delegation chain, ensuring that the DNS records they receive are authentic and unmodified. Just as certified mail provides a chain of custody, DNSSEC provides a chain of trust from the root zone to the authoritative name server, preventing attackers from injecting forged DNS responses (cache poisoning).
What is DNSSEC and Why Does It Matter?
DNSSEC (Domain Name System Security Extensions) is a suite of IETF specifications (RFC 4033, 4034, 4035) that add cryptographic authentication to DNS responses. The core problem DNSSEC solves is that standard DNS queries and responses are sent in cleartext, with no integrity checking. An attacker can intercept a DNS query and forge a response, redirecting a user to a malicious site. This is known as DNS cache poisoning (or DNS spoofing). DNSSEC does not encrypt DNS data; it only provides data origin authentication and data integrity. It ensures that the response you receive is exactly what the domain owner published and that it hasn't been modified in transit.
For SY0-701, you need to understand the threat DNSSEC addresses, its core components (RRSIG, DNSKEY, DS, NSEC/NSEC3), and the chain of trust. You will not need to configure DNSSEC in depth, but you must know how it works mechanically and what attacks it prevents.
How DNSSEC Works Mechanically
DNSSEC works by adding four new resource record types to the DNS:
RRSIG (Resource Record Signature): Contains a digital signature for a set of DNS records. Each RRSIG record is associated with a specific record type (e.g., A, AAAA, MX) and is signed by the zone's private key.
DNSKEY (DNS Public Key): Contains the public key that can verify the RRSIG signatures. Zones have at least two keys: a Key Signing Key (KSK) and a Zone Signing Key (ZSK). The KSK is used to sign the DNSKEY record set, while the ZSK signs all other records in the zone.
DS (Delegation Signer): Placed in the parent zone (e.g., .com) to establish a chain of trust to the child zone (e.g., example.com). The DS record contains a hash of the child's DNSKEY record.
NSEC (Next Secure) / NSEC3: Used for authenticated denial of existence. These records prove that a requested domain name does not exist. NSEC3 is an obfuscated version that prevents zone walking (enumerating all records in a zone).
The validation process works as follows:
A DNS resolver (e.g., 8.8.8.8) receives a query for www.example.com.
The resolver starts at the root zone (.) and follows delegations to .com, then to example.com.
At each step, the resolver retrieves the DS record from the parent zone and the DNSKEY record from the child zone. It verifies that the DS record matches the DNSKEY using cryptographic hashes.
Once the resolver has a trusted DNSKEY for example.com, it can verify the RRSIG signature on the A record for www.example.com.
If the signature is valid, the resolver accepts the response. If invalid, it returns a SERVFAIL error to the client.
Key Components, Variants, and Standards
KSK (Key Signing Key): A long-term key (usually 2048-bit RSA or ECDSA P-256) used to sign the DNSKEY RRset. The KSK's public key is published in the zone's DNSKEY record and is also hashed into the DS record in the parent zone.
ZSK (Zone Signing Key): A shorter-lived key (often 1024-bit RSA) used to sign all other records in the zone (A, MX, CNAME, etc.). The ZSK is signed by the KSK, so trust in the KSK extends to the ZSK.
Root Trust Anchor: The root zone's KSK public key is distributed with operating systems and DNS resolver software. This is the starting point for the chain of trust. The root zone was signed in 2010.
DNSSEC Algorithms: Common algorithms include RSA/SHA-256 (algorithm 8), RSA/SHA-512 (algorithm 10), and ECDSA Curve P-256 (algorithm 13). The exam may ask which algorithms are recommended.
NSEC vs NSEC3: NSEC returns the next secure domain name in the zone, allowing an attacker to walk the zone and enumerate all records. NSEC3 uses hashed names to prevent enumeration. Both provide authenticated denial of existence.
CDS and CDNSKEY: These records allow a child zone to signal to the parent that its DS record should be updated, simplifying key rollover.
How Attackers Exploit DNS and How DNSSEC Defends
Without DNSSEC, attackers can perform:
DNS Cache Poisoning: The attacker sends a forged DNS response to a resolver, causing it to cache a malicious IP address for a legitimate domain. This is the classic Kaminsky attack (2008).
Man-in-the-Middle (MITM): An attacker intercepts a DNS query and responds with a forged answer.
DNS Tunneling: Encapsulating non-DNS traffic in DNS queries to exfiltrate data (DNSSEC alone does not prevent this, but it can hinder some techniques).
DNSSEC prevents cache poisoning and MITM attacks by requiring digital signatures. An attacker cannot forge a valid signature without the zone's private key. Even if the attacker can intercept the query, they cannot produce a valid RRSIG for a spoofed record.
However, DNSSEC does not protect against:
DDoS attacks on DNS infrastructure.
Attacks on the resolver itself (e.g., compromising the resolver's software).
DNS hijacking at the registrar level (e.g., changing delegation records).
Real Command/Tool Examples
To check DNSSEC validation, you can use dig with the +dnssec flag:
dig www.example.com +dnssecLook for the ad (authenticated data) flag in the response. If it's set, the resolver has validated the DNSSEC chain.
To view the RRSIG record:
dig www.example.com RRSIGTo view the DNSKEY record:
dig example.com DNSKEYTo view the DS record in the parent zone:
dig example.com DSYou can also use delv (domain entity lookup and validation) which performs DNSSEC validation:
delv www.example.comOn the server side, popular DNS software like BIND supports DNSSEC signing. A signed zone file would include directives like:
zone "example.com" {
type master;
file "example.com.signed";
auto-dnssec maintain;
inline-signing yes;
key-directory "keys";
};The keys are generated using dnssec-keygen:
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.comThis creates a KSK. A ZSK is created with a shorter key length:
dnssec-keygen -a RSASHA256 -b 1024 -n ZONE example.comDeployment Considerations
Deploying DNSSEC requires careful planning: - Key Rollover: Keys must be rotated periodically. KSK rollover is complex because the DS record in the parent zone must be updated. The parent zone's registrar must support DS record management. - Resolver Support: Both the authoritative server and the resolver must support DNSSEC. Many public resolvers (Google, Cloudflare) validate DNSSEC by default. Enterprise resolvers may need configuration. - Performance Overhead: DNSSEC increases DNS response size due to additional records. This can cause fragmentation issues over UDP (limit 512 bytes or 4096 with EDNS0). Some firewalls may block large DNS packets. - Zone Walking: With NSEC, an attacker can enumerate all records in a zone. Use NSEC3 to mitigate this, though it adds computational overhead.
DNSSEC and DANE
DANE (DNS-based Authentication of Named Entities) uses DNSSEC to bind X.509 certificates to domain names. It allows a domain owner to publish a certificate association in a TLSA record, reducing reliance on Certificate Authorities. For SY0-701, understand that DANE requires DNSSEC to be secure.
Zone Owner Generates Keys
The domain owner (e.g., example.com) generates a Key Signing Key (KSK) and a Zone Signing Key (ZSK) using a tool like `dnssec-keygen`. The KSK is a long-term, high-security key (e.g., 2048-bit RSA) used to sign the DNSKEY record set. The ZSK is a shorter-term key (e.g., 1024-bit RSA) used to sign all other records. The private keys must be stored securely, often in a Hardware Security Module (HSM). The public keys are published in the zone's DNSKEY record.
Zone Owner Signs Zone Records
Using the ZSK, the owner signs each record set (e.g., A, MX, CNAME) to create RRSIG records. The KSK signs the DNSKEY record set (which contains both the KSK and ZSK public keys). The signed zone is then published on authoritative name servers. The RRSIG records include a validity period (start and end times) to prevent replay attacks. Tools like `dnssec-signzone` automate this process.
Parent Zone Adds DS Record
The domain owner provides a DS record to the parent zone (e.g., .com). The DS record contains a hash of the child's DNSKEY record (specifically the KSK). The parent zone administrator (the registry) adds this DS record to the parent zone. This creates a cryptographic link: the parent zone's RRSIG over the DS record can be verified by the resolver, establishing trust in the child's DNSKEY.
Resolver Performs Iterative Validation
When a resolver receives a query for www.example.com, it starts at the root zone. It retrieves the root's DNSKEY and validates it using the built-in root trust anchor. Then it gets the DS record for .com from the root and validates it. Next, it retrieves .com's DNSKEY and validates it using the DS record. It then gets the DS record for example.com from .com and validates it. Finally, it gets example.com's DNSKEY and validates it. This chain of trust ensures every step is authenticated.
Resolver Verifies Final Record
With the trusted DNSKEY for example.com, the resolver retrieves the A record for www.example.com along with its RRSIG. It uses the public ZSK from the DNSKEY set to verify the RRSIG. If the signature is valid, the resolver sets the Authenticated Data (AD) flag in the response to the client. If validation fails, the resolver returns SERVFAIL, indicating the response cannot be trusted.
Scenario 1: Enterprise Resolver Validation Failure
A large enterprise uses internal DNS resolvers (e.g., Infoblox or Windows Server DNS). After a routine key rollover, users report that they cannot access several external websites, receiving 'DNS resolution failed' errors. The SOC analyst checks the resolver logs and sees many 'validation failure' events for domains like example.com. The analyst uses dig +dnssec example.com from a test machine and sees no RRSIG records. Further investigation reveals that the zone's ZSK was rotated but the new signature was not propagated to all authoritative servers. The correct response is to contact the domain owner to ensure all servers serve the new RRSIG records. A common mistake: the analyst assumes the resolver is misconfigured and disables DNSSEC validation, which would weaken security. Instead, the analyst should verify the chain of trust using delv and check the parent zone's DS record.
Scenario 2: Cache Poisoning Attempt Blocked by DNSSEC
A security engineer at a financial institution monitors DNS traffic. They notice a sudden spike in queries for bank.com from internal clients. The engineer uses Wireshark to capture DNS responses and sees that some responses have an invalid RRSIG. The engineer confirms that the resolver has DNSSEC validation enabled. The logs show 'validation failure' for bank.com. The engineer traces the source IP of the malicious responses to an external attacker trying to poison the cache. Because DNSSEC is enabled, the resolver rejects the forged responses. The correct response is to block the attacker's IP and ensure no internal clients were affected. A common mistake: the engineer might think the resolver is malfunctioning and temporarily disable validation, allowing the attack to succeed.
Scenario 3: DANE Certificate Pinning
A company wants to secure its email server using DANE (RFC 7671). The administrator creates a TLSA record for smtp.example.com in the signed zone. The record specifies that the server's TLS certificate must match a given hash. When an email client connects, it queries the TLSA record via a DNSSEC-validating resolver. If the record validates, the client compares the server's certificate to the hash in the TLSA record. If they match, the connection proceeds; otherwise, it aborts. This prevents man-in-the-middle attacks even if a CA is compromised. A common mistake: the administrator forgets to include the TLSA record in the signed zone or uses an incorrect hash, causing legitimate email delivery failures. The correct response is to test the TLSA record using dig +dnssec _25._tcp.smtp.example.com TLSA before deploying.
What SY0-701 Tests on DNSSEC
The exam focuses on understanding the purpose of DNSSEC, the types of attacks it prevents (primarily DNS cache poisoning), and its core components. You should know:
DNSSEC provides data origin authentication and integrity, not confidentiality.
The chain of trust relies on DS records in parent zones and a root trust anchor.
RRSIG records contain digital signatures; DNSKEY records contain public keys.
NSEC/NSEC3 provide authenticated denial of existence.
DNSSEC does NOT protect against DDoS, registrar hijacking, or encryption.
Common Wrong Answers and Why Candidates Choose Them
"DNSSEC encrypts DNS queries." – Candidates confuse authentication with encryption. DNSSEC does not encrypt; it only signs. The exam may present a scenario where encryption is needed (e.g., privacy), and DNSSEC is not the answer.
"DNSSEC prevents DDoS attacks on DNS servers." – DNSSEC adds overhead but does not mitigate DDoS. Candidates see 'security' and assume all attacks are covered.
"DNSSEC uses a single key for the entire zone." – The two-key model (KSK and ZSK) is often misunderstood. Candidates may think one key signs everything.
"DNSSEC is automatically enabled when you register a domain." – DNSSEC requires manual configuration. Many registrars offer it as an option, but it's not default.
Specific Terms and Acronyms to Memorize
RRSIG, DNSKEY, DS, NSEC, NSEC3 – Know what each stands for and its purpose.
KSK and ZSK – Understand their roles.
Chain of trust – The hierarchical validation path.
Root trust anchor – The starting point for validation.
AD flag – Authenticated Data flag in DNS responses.
SERVFAIL – Returned when validation fails.
Common Trick Questions
"Which protocol provides integrity for DNS?" – The answer is DNSSEC, not TLS (DoT) or HTTPS (DoH). DoT/DoH provide encryption, not integrity of the DNS records themselves.
"What does the DS record contain?" – A hash of the child's DNSKEY, not the key itself.
"What does NSEC3 prevent?" – Zone walking (enumeration), not cache poisoning.
Decision Rule for Eliminating Wrong Answers
When you see a DNS security question, ask: *Is the attack about modifying DNS records in transit or at the resolver?* If yes, DNSSEC is likely the answer. If the question involves eavesdropping or privacy, look for DoT/DoH. If it involves availability, look for DDoS mitigation. If it involves unauthorized zone transfers, look for TSIG or allow-transfer restrictions.
DNSSEC provides data origin authentication and integrity for DNS, not confidentiality.
The four key DNSSEC record types are RRSIG, DNSKEY, DS, and NSEC/NSEC3.
DNSSEC uses a two-key model: KSK (signs DNSKEY) and ZSK (signs other records).
The chain of trust starts from the root trust anchor and uses DS records to delegate trust.
DNSSEC prevents DNS cache poisoning and man-in-the-middle attacks on DNS.
NSEC3 prevents zone enumeration; NSEC allows it.
Common DNSSEC algorithms include RSA/SHA-256 (8) and ECDSA P-256 (13).
Do not confuse DNSSEC with DoT/DoH — DNSSEC is about integrity, DoT/DoH about encryption.
Validation failure results in SERVFAIL response from the resolver.
DNSSEC does not protect against DDoS, registrar hijacking, or compromised authoritative servers.
These come up on the exam all the time. Here's how to tell them apart.
DNSSEC
Provides data origin authentication and integrity via digital signatures.
Does not encrypt DNS queries or responses.
Protects against cache poisoning and spoofing.
Uses RRSIG, DNSKEY, DS, NSEC records.
Works at the DNS protocol level, transparent to applications.
DNS over TLS (DoT)
Provides encryption of DNS queries and responses using TLS.
Does not provide authentication of DNS data origin.
Protects against eavesdropping and man-in-the-middle (privacy).
Uses TLS handshake and certificates.
Operates on port 853; requires client and server support.
KSK (Key Signing Key)
Used to sign the DNSKEY record set.
Longer key length (e.g., 2048-bit RSA).
Rarely rotated; rollover requires parent zone DS update.
Public key is hashed into the DS record.
Higher security; compromise is catastrophic.
ZSK (Zone Signing Key)
Used to sign all other records (A, MX, etc.).
Shorter key length (e.g., 1024-bit RSA).
Rotated frequently; no parent zone involvement.
Public key is part of DNSKEY set, signed by KSK.
Lower security; compromise is less severe if detected quickly.
Mistake
DNSSEC encrypts DNS queries and responses.
Correct
DNSSEC does not provide encryption; it only provides data origin authentication and integrity. DNS data remains in cleartext. For encryption, use DNS over TLS (DoT) or DNS over HTTPS (DoH).
Mistake
DNSSEC prevents all DNS attacks.
Correct
DNSSEC specifically prevents cache poisoning and man-in-the-middle attacks that modify DNS records. It does not prevent DDoS attacks, registrar hijacking, or attacks that compromise the authoritative server itself.
Mistake
Once DNSSEC is enabled, all resolvers automatically validate.
Correct
DNSSEC validation must be supported and enabled on the resolver. Many public resolvers validate by default (e.g., Google, Cloudflare), but internal enterprise resolvers may need configuration. Clients also need to trust the resolver's AD flag.
Mistake
DNSSEC uses a single key to sign all records in a zone.
Correct
DNSSEC typically uses two keys: a Key Signing Key (KSK) to sign the DNSKEY record set, and a Zone Signing Key (ZSK) to sign all other records. This allows ZSK rollovers without updating the parent zone's DS record.
Mistake
NSEC3 provides the same functionality as NSEC but with better performance.
Correct
NSEC3 provides authenticated denial of existence while preventing zone enumeration through hashed names. However, it has higher computational overhead than NSEC. NSEC is simpler but allows zone walking.
DNSSEC protects against DNS cache poisoning and man-in-the-middle attacks that modify DNS records. It ensures that the DNS response you receive is authentic and has not been altered. It does not protect against DDoS attacks, privacy breaches, or attacks that compromise the DNS server itself. For the exam, remember that DNSSEC provides integrity and authentication, not confidentiality.
The Key Signing Key (KSK) is used to sign the DNSKEY record set, which contains the public keys for the zone. It is a long-term key with a longer key length (e.g., 2048-bit RSA). The Zone Signing Key (ZSK) is used to sign all other records (A, MX, etc.) and is rotated more frequently. The KSK's public key is hashed into the DS record in the parent zone, linking the child zone to the parent. This two-key model allows ZSK rollovers without updating the parent zone.
DNSSEC validation uses a chain of trust. The resolver starts with a trusted root anchor (the root zone's KSK public key). It then retrieves the DS record for the top-level domain (e.g., .com) from the root zone, validates it using the root's RRSIG, and uses the DS hash to verify the .com DNSKEY. This process repeats down to the target domain. Finally, the resolver uses the target zone's DNSKEY to verify the RRSIG on the requested record. If any step fails, the resolver returns SERVFAIL.
DNSSEC provides data origin authentication and integrity via digital signatures, but does not encrypt DNS data. DoT encrypts DNS queries and responses using TLS, providing privacy, but does not authenticate the data origin. They are complementary: you can use both. DoT operates on port 853, while DNSSEC is a protocol extension. For the exam, know that DNSSEC prevents cache poisoning; DoT prevents eavesdropping.
A Delegation Signer (DS) record is placed in the parent zone (e.g., .com) to establish a chain of trust to a child zone (e.g., example.com). It contains a cryptographic hash of the child's DNSKEY record (specifically the KSK). When a resolver validates, it uses the DS record to verify that the child's DNSKEY is legitimate. The DS record itself is signed by the parent zone's ZSK.
NSEC3 is a DNSSEC record type that provides authenticated denial of existence — it proves that a requested domain name does not exist. Unlike NSEC, which returns the next secure domain name in canonical order (allowing zone walking), NSEC3 uses hashed names to prevent enumeration. This makes it harder for an attacker to list all records in a zone. NSEC3 adds computational overhead but is preferred for privacy.
Use the `dig` command with the `+dnssec` flag. For example: `dig example.com +dnssec`. Look for the `ad` (authenticated data) flag in the response. If present, the resolver validated DNSSEC. You can also query for specific records: `dig example.com DNSKEY` and `dig example.com DS` to see the keys and delegation signer. If no RRSIG records appear, the zone is not signed.
You've just covered DNSSEC and DNS Security — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?