DNSSEC Report Generator

This DNSSEC Report Generator is a diagnostic utility that provides a detailed report on DNSSEC-related information for a given domain. By analyzing the DNSSEC configuration and validating the cryptographic signatures across the domain hierarchy, the tool helps to ensure the integrity and security of DNS records.

How to Use the DNSSEC Report Generator:

• Input Domain Name: Enter the domain name you want to analyze, e.g., example.com.
• Key Color-coding: Enable color-coding for clarity. Warning: We use a fixed set of 18 color shades. The same color may be applied to different keys when querying, for example, a large zone with multiple subdomain levels.
• Start Analysis: Click on the "DNSSEC Report" button to begin the DNSSEC lookup and analysis process. The tool will:
  • Query DNS servers at each domain level, starting from the Top-Level Domain (TLD), e.g., .com.
  • Collect, validate, and display DNSSEC-related records at each level.
  • Retrieve often used record types for the target domain and validate corresponding signatures.
• View Results: After the analysis completes, the tool will present a report that includes:
  • DNSSEC records for each domain level:
    • DS (Delegation Signer)
    • DNSKEY (DNS Public Key)
  • Other DNS records for the target domain, including SOA, A, AAAA, MX, NS, NSEC, CNAME, TXT, etc.
  • Validation results for the matching DS and DNSKEY records.
  • RRSIG (Resource Record Signature) records and signature validation results for resource records.

This DNSSEC Report Generator may be helpful in a variety of use cases, including:

• Domain Security Validation - Ensure DNSSEC is properly implemented for your domain.
• Troubleshooting DNSSEC Issues - Identify misconfigured signing chain or invalid DNSSEC records.
• Auditing and Compliance.
• Learning DNSSEC functionality and understanding DNSSEC key relationships.

What is DNSSEC?

DNSSEC (Domain Name System Security Extensions) enhances the DNS by adding cryptographic signatures to DNS records. DNSSEC certifies the integrity and authenticity of DNS responses and protects against DNS spoofing and cache poisoning.

Problems Solved by DNSSEC:

• Tampered DNS Records - Ensures the records returned to a user are the original ones published by the domain owner.
• Man-in-the-Middle Attacks - Prevents attackers from injecting false DNS responses.
• Cache Poisoning - Mitigates attacks where malicious records are inserted into a DNS resolver's cache.

DS (Delegation Signer):

• Published in the parent zone, DS record links to the DNSKEY in the child zone.
• Used to ensure the continuity of the chain of trust between zones.

DNSKEY (DNS Public Key):

• Published within the same zone where the records are signed.
• Contains the public key used to verify RRSIG records.
• Two types: Zone Signing Key (ZSK) and Key Signing Key (KSK).

RRSIG (Resource Record Signature):

• Contains the cryptographic signature for a set of DNS records, proving their authenticity.
• Signed using the private key associated with the DNSKEY record.

NSEC (Next Secure) and NSEC3 (Next Secure v.3):

• Provide authenticated denial of existence for non-existent domain names or records.

NSEC3PARAM (NSEC3 Parameters):

• Contains the NSEC3 parameters (hash algorithm, flags, iterations, and salt) needed by authoritative servers to perform calculations.

CDS (Child DS) and CDNSKEY (Child DNSKEY):

• Allow for automated updates to the DS record between child and parent zones.

DNSSEC provides a chain of trust that begins at the root zone and extends through each level of the DNS hierarchy, down to the specific domain being queried. Here's a breakdown of how this chain of trust operates:

The Root Zone

The DNS hierarchy starts with the root zone, managed by root name servers. The root zone publishes Delegation Signer (DS) records for each Top-Level Domain (TLD) (e.g., .com, .org, .net, etc.). These DS records serve as pointers to the DNSKEY records of the TLDs, establishing the next link in the chain.

TLD Zone

Each TLD (e.g., .com) publishes DS records for second-level domains (SLDs) (e.g., example.com), pointing to their respective DNSKEY records. The TLD zone also publishes its DNSKEY records that include public keys used to validate signatures for its records.

Second-Level and Lower-Level Zones

For every domain name or subdomain within the DNS hierarchy:

• The parent zone (e.g., example.com) publishes a DS record pointing to the child zone's (e.g., subdomain.example.com) DNSKEY records.
• The child zone uses its private key to generate RRSIG records, signing its DNS data (e.g., A, MX, or NS records) to ensure authenticity.
• The child zone publishes the corresponding DNSKEY record, which contains the public key used to validate its RRSIG signatures.

Validation Process

When a DNS resolver queries for a domain and detects that DNSSEC is enabled,

• It retrieves the DS record for the queried domain from the parent zone.
• It fetches the child zone's DNSKEY record and validates it against the DS record.
• It uses the public key in the DNSKEY record to verify the signatures (RRSIG records) of the requested DNS data (e.g., A, MX, or TXT records).

If required, this process repeats recursively at each level of the hierarchy, ensuring that every link in the chain is cryptographically secure.