DNSSEC in three easy steps

 

When turning on DNSSEC for a domain in PowerDNS.Net, the zone is automatically cryptographically signed. Such a signature is a cryptographic guarantee that the data served is the original data. This signature contains of 2 parts.

 

 

 

To make sure that the internet knows that the key that is used for signing is the authentic key, confirmation has to be obtained from the parent zone. This means that to become operational, you will have to publish a representation of the signing key to the parent zone. This representation is called a DS record, and is a shorter (hashed) version of the DNSKEY.

 

E.g. to secure the domain example.com, the DS records for that domain need to be put in the nameservers of the .com zone. You usually provide these DS records to the registar you registered your domain with. For a list of registars that support end user DNSSEC management, including entry of DS records, see: http://www.icann.org/en/news/in-focus/dnssec/deployment

 

 

In the language of DNS, the way to say 'there is no such domain' (NXDOMAIN) or ‘there is no such record type’ is to send an empty answer. Such empty answers are universal, and can't be signed.

 

In DNSSEC parlance we therefore sign a record that says 'there are no domains between A.powerdnssec.org and C.powerdnssec.org'. This securely tells the world that B.powerdnssec.org does not exist. This solution is called NSEC, and is simple but has downsides. It tells the world exactly which records DO exist.

 

So alternatively, we can say that if a certain mathematical operation is performed on a question, that no valid answers exist that have as outcome of this operation an answer between two very large numbers. This leads to the same 'proof of non-existence'. This solution is called NSEC3, and is more secure.