← Lessons

quiz vs the machine

Gold1470

Networking

DNSSEC Basics

Signing answers so a resolver can trust what it receives.

6 min read · core · beat Gold to climb

The Problem of Trust

Plain DNS answers are not authenticated, so a forged reply can send you to the wrong address. DNSSEC adds digital signatures to records so a resolver can verify that an answer truly came from the zone owner and was not changed.

Signing Records

DNSSEC introduces new record types that carry signatures and keys.

  • An RRSIG record holds the signature over a set of records.
  • A DNSKEY record holds the public keys used to verify signatures.
  • A DS record in the parent zone fingerprints the child key, linking the zones.

The Chain of Trust

Verification follows the same hierarchy as resolution. Each zone signs its records, and its parent vouches for the zone key through a DS record. The chain begins at the signed root zone, whose key is widely known and trusted in advance.

  • The root signs the top level domain delegation.
  • The top level domain signs the next zone delegation.
  • The zone signs its own address records.

What It Does Not Do

DNSSEC proves authenticity and integrity, not confidentiality. Anyone can still read the queries and answers; signing only stops forgery and tampering, including proving that a name does not exist.

Key idea

DNSSEC signs records with RRSIG and DNSKEY and links each zone to its parent with a DS record, building a chain of trust from the root that proves authenticity but not confidentiality.

Check yourself

Answer to earn rating on the learn ladder.

1. Which record links a child zone key to its parent in DNSSEC?

2. What does DNSSEC provide?

3. Where does the DNSSEC chain of trust begin?