First of all DNS

DNS is what allows you to surf the net and know addresses around. These are road maps and telephone books of the internet.

This is also where you know where to send mails and many other boring details most people don’t care about but make the internet this incredibly strong and efficient network.

DNS is the corner stone of the internet. Each time you open a web page, let’s say http.cat, your computer asks the DNS:

where is that http.cat ?

And the DNS is going to answer something like:

go and see 178.62.60.93

I don’t want to go into technical details. But the wikipedia article provide an amazingly good explanation of how that thing is running. Or this little comics website.

Then DNSSEC

A few years ago, smart people began to worry: DNS being critical, it was fairly important to be secured.

Actually it can be easy, while browsing the web, to trick you into false addresses. So the idea was to figure out how to ensure the DNS to deliver only authentic or true addresses.

How do we do that ?

Each owner (I prefer the tenant, for example the legit tenant of http.cat) write his DNS zone, then signs it with a cryptographic algorithm.

When you surf the net, your computer will check those signatures to be valid.

My opinion is that any critical system in our society (ISP, banks, energy and water systems, governmental and public websites) should use DNSSEC.

Signature

The DNS zone is like a sheet of paper containing every useful information about the domain.

By signing it, the tenant stamps it.

This signature is renewed regularly by the domain’s tenant. It follows the DNS’ hierarchical organization. Meaning that at the top (or the bottom, if you prefer to be biologically coherent with the words), there is the root, then the tld, then the domain and its sub-domains. It is a chain in which each part ought to be working and strong enough for the following to be so too.

On the technical side, algorithms are the same as for SSL/TLS (the green lock on the right of your firefox address-bar):

  • RSA (The majority of the case around, mainstream, almost basic)
  • DSA (oldschool)
  • Elliptic curves crypto (the tip-top modern techno currently being rolled out)

Validation

Finally let’s check that those signatures are Ok. Not fake. To do that, a validator will have to walk the whole chain up to the root, check each individual signature to be sure each step is safe before moving to the following one.

This validation phase can happen on the resolvers (the DNS servers you asked about «http.cat ? Please.»). Trouble is that you can still be tricked on the path between your computer and the resolvers (they are on the internet after all). Or maybe you cannot trust these resolvers: their operators - your ISP - can make them lie to you.

Validating can be done at home. For example on a NAS or on your router. That’s what I do.

It can also be done directly on your computer (ideal case, even if it creates other side problems). If you use often your computer in unsafe places (while travelling, or working in several places…), it’s an easy-to-do solution.
The dnssec-trigger software allows you to do that efficiently.
FreeBSD (Operating system for crazy ones) contains a native resolver that does the same.
OpenBSD (Operating system for paranoid hackers, also the one I run on my server and router) uses Unbound natively, but is a bit less efficient.

If you wish to check (actually you should check) that you can do DNSSEC validation, go and see on this webpage : http://dnssec.vs.uni-due.de/.