DNSKEY Resource Record
DNSKEY Resource Records are used to propagate public keys through DNS . DNSKEY records are used in the context of DNSSEC (DNS Security) and in 2004 replaced the almost identical KEY resource records .
background
Today, public key systems are considered to be powerful and versatile encryption methods . The owner of a key, for example, signs a message with the private key known only to himself . A recipient can verify this signature with the aid of the corresponding public key and thus ensure that the message actually originates from the sender and that it is unadulterated.
A basic problem of public key systems is the distribution of public keys: How does a user make his public key known to the world? The procedure described here uses DNS. The owner of the key stores it as DNSKEY-RR on a publicly accessible DNS server. Everyone who needs the public key of this user sends a corresponding DNS request. He then receives the public key in response. The procedure thus corresponds to the propagation of IP addresses.
In practice, however, this type of propagation is not sufficient as an entire zone can be faked. The public key must therefore either be entered manually as a trusted key in the resolver or the associated DS resource record published in the overlying zone. See Chain of Trust .
construction
A DNSKEY-RR consists of the following fields:
- Label
- Name of the owner of the key
- Class
- only IN permitted
- Type
- DNSKEY
- Flags
- additional information such as B. Host, Zone or Key Signing Keys. In the context of DNSSEC, 256 = zone and 257 = key are used
- protocol
- 1 = TLS , 2 = email , 3 = DNSSEC , 4 = IPsec , 255 = all
- Encryption method
- 1 = RSA / MD5 , 2 = Diffie Hellman , 3 = DSA / SHA-1 , 4 = elliptical curves , 5 = RSA / SHA-1, 6 = DSA / SHA-1 / NSEC3 , 7 = RSA / SHA-1 / NSEC3, 8 = RSA / SHA-256 , 10 = RSA / SHA-512 , 12 = ECC-GOST, 13 = ECDSA / Curve P-256 / SHA-256, 14 = ECDSA / Curve P-384 / SHA-384
- key
Examples
child.example IN DNSKEY (
256 ; Zonenschlüssel
3 ; dnssec
3 ; DSA-Verschlüsselung
BOPdJjdc/ZQWCVA/ONz6LjvugMnB2KKL3F1D2i9Gdrpi
rcWRKS2DfRn5KiMM2HQXBHv0ZdkFs/tmjg7rYxrN+bzB
NrlwfU5RMjioi67PthD07EHbZjwoZ5sKC2BZ/M596hyg
fx5JAvbIWBQVF+ztiuCnWCkbGvVXwsmE+odINCur+o+E
jA9hF06LqTviUJKqTxisQO5OHM/0ufNenzIbijJPTXbU
cF3vW+CMlX+AUPLSag7YnhWaEu7BLCKfg3vJVw9mtaN2
W3oWPRdebGUf/QfyVKXoWD6zDLByCZh4wKvpcwgAsel4
bO5LVe7s8qstSxqrwzmvaZ5XYOMZFbN7CXtutiswAkb0
pkehIYime6IRkDwWDG+14H5yriRuCDK3m7GvwxMo+ggV
0k3Po9LD5wWSIi1N )
example.net. IN DNSKEY (
257 ; Schlüsselunterzeichnungs-Schlüssel
3 ; DNSSEC
1 ; RSA-Verschlüsselung
AQOW4333ZLdOHLRk+3Xe6RAaCQAOMhAVJu2T
xqmk1Kyc13h69/wh1zhDk2jjqxsN6dVAFi16
CUoynd7/EfaXdcjL )
Security of the procedure
The propagation of a public key via DNS is only sufficiently secure if it is confirmed via the overlying zone with the DS RR. Propagation through an X.509 certificate is even more secure, but much more complex and expensive.
Web links
- RFC 4034 - Resource Records for the DNS Security Extension