DNS and DNSSEC Terminology
DNSSEC brought many new terms, and uses some old ones in different ways.
Here are some common DNS terms you will run into when dealing with DNS and DNSSEC.
- TLD – Top Level Domain
These are the major top level domain names, such as .com, .org, .info, and the country-specific ones such as .uk, .de, and .br. The country-specific names are sometimes referred to as CCTLDs for "Country-Code Top Level Domains."
- RR – Resource Record
These are commonly referred to as "records." A record is the smallest unit of data inside a zone. For example, a single NS, SOA, or DNSKEY record.
- RRSET – Resource Record Set
An RRSET is a complete set of resource records of the same type. That is, all NS records for a given name, or all DNSKEY records. This is the smallest unit DNSSEC will secure; DNSSEC does not sign RRs, it signs RRSETs.
- Signature and Verification
A Signature is a generated value based on the data being signed (RRSETs) and the key being used to sign it. Signing is performed using the private key, and verification occurs using the public key.
- Chain of Trust
This term describes how a validating resolver finds a path from keys that it is configured to trust to your zone. Normally a resolver starts from the root and works its way to your zone. However, since few TLDs accept DS records and are signed, DLV provides an alternate chain of trust to allow any zone added to the DLV registry to be validated.
DNSSEC Record Types
DNSSEC adds several new record types. These automatically generated by signing tools and not edited directly. However, understanding their relationship to one another can help if problems occur.
These records contain the public key for the zone. They come in two flavors, a Zone Signing Key (ZSK) and a Key Signing Key (KSK). Generally, the KSK signs only certain records within the zone, while the ZSK signs all of the records. You may have as many of each as required for key-rollover protocols or for your needs.
- RRSIG – Resource Record Signature
These records hold the signatures for a specific record type. For instance, you will see an RRSIG for NS records, one for DNSKEY records, etc. One RRSIG record will be generated per ZSK, typically, and for certain records one for each KSK as well.
Note that there is one signature per-key per-RRSET, not per RR.
- NSEC – Next Secure
This record is used in “negative answers” to prove that a name does not exist. Each name in a zone has an NSEC record added when signed to allow both positive (this name exists) answers and negative answers (this name does not exist) to be cryptographically secure.
- NSEC3 – Next Secure (version 3)
This record is used in “negative answers” to prove that a name does not exist. It is similar in function to the NSEC record, but has some advantages in certain situations.
Zones signed with NSEC are “walkable.” This means the entire contents of a zone can be retrieved simply by following the NSEC chain. Also, every name within a zone must be signed and have NSEC records.
NSEC3 uses cryptographic hashes to prevent zone walking while retaining the ability to prove negative answers. It also allows for an opt-out signing method where only certain names within a zone are signed. For very large zones this opt-out is useful.
- DS – Delegation Signer
These are records that are submitted to your zone's parent. They are included only in the parent, and correspond to NS records in that they provide a link between your parent and your zone. They are part of the DNSSEC chain of trust from your zone's parent to your zone.
Because many parent zones are not yet signed, DLV may be used to provide others with a trusted relationship to your zone when your parent is not signed or not prepared to accept DS record submissions.
- DLV – DNSSEC Look-aside Validation
These records are in most ways identical to DS records. The only difference is the name on the DLV record. A DS record has your zone's name (example.com) while a DLV record has an additional name (example.com.dlv.isc.org.)
Other Record Types
DNSSEC changes the amount of data a server sends and receives, so some tuning of the negative response times can affect traffic.
- SOA – Start of Authority
This is a record which every zone must have exactly one of. It describes some general characteristics about the zone, such as who to contact about it, which name server to send dynamic updates to, and the all important serial number, and a few timing parameters.
It also has a field for “negative cache TTL” (also known as the “Minimum TTL” field) which can greatly affect load on your authoritative servers. Setting this lower than one hour (3600 seconds) is not recommended.
Digests are used to provide a secure but shorter representation of data. They are sometimes called a "hash" of the data. They are used in DS and DLV records to refer to a key without having to list the key data itself. They are also used during signing. Each RRSET to be signed has a digest created for it, and the digest is what is actually signed.
For some general information about digest algorithms, see the the Wikipedia entry on Cryptographic Hash Functions.
- SHA-1 – Secure Hash Algorithm 1
A 160-bit digest algorithm. This is a mandatory algorithm for DS and DLV records, and most of the key algorithms use it when signing. The DLV Registry publishes DLV records with this digest type.
- SHA-256 – Secure Hash Algorithm 2 with 256 bits
A 256-bit digest algorithm. This is an optional algorithm for DS and DLV records, and currently no standardized key algorithms use it. The DLV Registry publishes DLV records with this digest type.
- MD5 – Message Digest 5
A 128-bit digest algorithm. This is generally considered insecure and should no longer be used in production.
DNSSEC Key Algorithms
All key types in DNSSEC are of a class known as "public keys." These keys have two parts, a private component (which you must keep secure) and a public component (which you publish in your zone in the form of a DNSKEY.) Data encrypted (or signed) with one key can only be decrypted (or verified) using the other part.
Key lengths are often used to compare the relative security of one key to another. Longer keys are considered to be more secure. Note however that this comparison is meaningful only when comparing the same key type: the strength of a 1024-bit RSASHA1 key is not directly comparable to a 1024-bit DSA key.
For some general information about cryptography, see the Wikipedia entry on Cryptography.
This algorithm specifies a key-type of RSA in which signatures are generated using the SHA-1 signature algorithm. Keys can be of many lengths, depending on their intended use. Zone-signing keys are often 1024 bits or larger, and key-signing keys are often 2048 bits or larger.
- DSA – Digital Signature Algorithm
Keys of this type can be made of various lengths. It uses SHA-1 for the digest. This algorithm is different from RSA in that it can only be used to sign, not to encrypt, data.
A mathematical attack against this type of key has been discovered and published, and so it should no longer be used.