How can you trust the root of the “global chain of trust” that is used in DNSSEC? How can you be sure as you are validating DNSSEC signatures that this global chain works?
To provide this chain of validation, DNSSEC relies on what is called a “trust anchor”. When you check the signature for DNS records for “internetsociety.org”, for instance, you go through a process along the lines of this (a simplified version):
- Your validating recursive resolver gets the DNS records (such as “A” or “AAAA”) for “INTERNETSOCIETY.ORG” along with the DNSSEC signature in a RRSIG record and the public key used for the signing in a DNSKEY record.
- It then retrieves the DS record for “INTERNETSOCIETY.ORG” from .ORG to verify that this is the correct DNSKEY. It also retrieves a RRSIG record for the DS record and the DNSKEY record from .ORG.
- Next it retrieves the DS record for “.ORG” from the root of DNS, along with the associated RRSIG for the DS record and the DNSKEY for the root.
- HERE IS THE CHALLENGE – How does your recursive resolver know that the DNSKEY it retrieved for the root of DNS is the correct one?
This is where there is a need for a “trust anchor” that the recursive resolver can trust to know that this is indeed the correct DNSKEY it should be using.
The DNSSEC protocol can be used with any trust anchor, but in practice we all use the DNSSEC trust anchors published by IANA (with ICANN doing the actual publishing as part of their contract to perform the IANA functions).
A new informational (non-standard) RFC 7958 out this week explains the formats IANA uses to publish the root key trust anchors and how those trust anchors can be retrieved. It also outlines additional steps that can be taken during the retrieval to ensure the trust anchors aren’t modified during the retrieval.
In 2017 we will see a change in the Root Key Signing Key (KSK) in 2017, which will mean a change in the root trust anchor. This RFC 7958 is a good reference to have out there so that everyone can understand exactly how to retrieve and use the trust anchors at the heart of DNSSEC.
Please do read this new RFC and share it widely with anyone involved in developing applications or services that perform DNS resolution and validation.
And if you know very little about DNSSEC but want to learn more, please visit our Start Here page to find resources to help you get started!