RRSIG Resource Record
With the RRSIG Resource Record or Signature Resource Record , any resource records can be digitally signed within the framework of DNSSEC (DNS Security) . The RRSIG type replaced the almost identical SIG Resource Record in 2004 .
background
A user who receives an answer to a DNS request (e.g. an IP address ) cannot be sure that the answer really comes from a regular name server and that it was not corrupted during the transport. The solution is to digitally sign Resource Records.
A digital signature requires a public key process. The name server, which is the master authoritative for a DNS entry, signs it with its private key. Resolvers can validate the digital signature at any time, provided they know the zone's public key.
construction
An RRSIG resource record consists of the following fields:
- Surname
- of the digitally signed RR
- Current TTL
- specifies how long this entry can be kept in the cache
- class
- to which the signed RR belongs
- RRSIG
- RR type it is about (type 46)
- Type
- of the signed RR - e.g. B. A , NS , SOA
- Encryption algorithm
- (1 = RSA / MD5 , 2 = Diffie-Hellman , 3 = DSA )
- Number of name components
- for wildcard resolution see RFC 2535
- TTL
- at the time of signature
- End time
- Date up to which the signature is valid
- Starting time
- Date from which the signature is valid
- unique number
- identifies the signing DNSKEY in order to distinguish between several signatures ( key tag )
- Name of the signatory (zone)
- actual signature (Base64)
example
In this example, an A-RR is digitally signed:
www.child.example. 1285 A 1.2.3.15
www.child.example. 1285 IN ; Klasse zu der der RR gehört
RRSIG ; RR ist vom Typ RRSIG
A ; Signierter Typ ist A
3 ; DSA-Encryption
3 ; Name hat 3 Komponenten
1285 ; Original-TTL
(
20040327122207 ; Endzeitpunkt
20040226122207 ; Anfangszeitpunkt
22004 ; eindeutige Nummer/Key Tag
child.example. ; Name des Unterzeichners
BMTLR80WnKndatr77...BtprR9SLKoZUiPWX ; Hash
)