Diplo Internet Governance Community
Stay networked. Get informed. Broadcast your projects.
Thanks Ricardo for the quick explanation on DNSSEC. You mean there are no certificates and the signatures expires but the keys to the given domain name zone do not. How does one maintain a database of signatures and keys without certificates? Because I think maintaining a list of signatures for every domain does not scale . How could every computer maintain a list of every signature for every domain it needs to verify? Then there is need of using a chain of trusted certificates.
By using the hierarchical property of the DNS, one can use DNSSEC to check certificates without knowing the
certificate of every single domain.
‣ Computers can learn certificates by tracing from a trusted key down the DNS delegation chain
‣ Of course, this only works if each level of the DNS deploys DNSSEC...
‣ For this to work, registries need to keep a list of signatures of its child zones, and publish them in their
own signed zone.
To deploy DNSSEC fully, zone managers need to:
‣ Sign their zone with a certificate
‣ Publish the certificates of their child zones
‣ Share their certificate with their parent zone
‣ The administration of these is much of the reason why
DNSSEC has been difficult to deploy
‣ And why “signing the root” is considered so important — it theoretically allows a single signature to verify the whole DNS!
Those are all very good points.
To address your question regarding keys and signatures validity. Differently of PKI certificates, the keys have not time expiration. But, the signature of a given information (DNS records in this case) will have a validity.
And from the perspective of a DNS domain zone administrator, this implies in one more duty: to keep track of domain name records signatures validity. And this would not implies much burden on those administrators as they already have to keep track of other important information of a domain name they are responsible for.
From the perspective of a DNS client, or DNS recursive server, it will not be need to keep all public keys in cache in order to resolve DNS requests.
When a DNSSEC query is to be performed by a given DNSSEC client/recursive, it will start to construct the sol called "Authentication Chain" [RFC 4033 - http://www.rfc-archive.org/getrfc.php?rfc=4033], and to do so, it will query the
upper level DNS servers for public keys associated with the domain name record being resolved.
Those public keys, once received, can be cached by the DNS client/recursive for the amount of time specified in the
TTL (time to live), but also for the validity of the signature of the key (yes, DNSSEC keys are also signed. It can be
a self signed signature or follow a schema of Key Signing Key as described in RFC 4641 - DNSSEC
Operational Practices - http://www.rfc-archive.org/getrfc.php?rfc=4641]).
© 2023 Created by Community Owner. Powered by