1. DNSSEC/DNSKEY
DNSSEC検証に用いる公開鍵を格納するためのリソースレコードです。
DNSKEYリソースレコード JPRSの用語辞典 https://jprs.jp/glossary/index.php?ID=0214
参考: http://www.netagent-blog.jp/archives/51489071.html
http://www.simpledns.com/help/v52/index.html?rec_dnskey.htm
DNSKEY-records have the following data elements:
- Flags: "Zone Key" (set for all DNSSEC keys) and "Secure Entry Point" (set for KSK and simple keys). - Protocol: Fixed value of 3 (for backwards compatibility) - Algorithm: The public key's cryptographic algorithm. - Public key: Public key data.
1.1. RFC4034
Abstract
This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of resource records and protocol modifications that provide source authentication for the DNS. This document defines the public key (DNSKEY), delegation signer (DS), resource record digital signature (RRSIG), and authenticated denial of existence (NSEC) resource records. The purpose and format of each resource record is described in detail, and an example of each resource record is given.
2. The DNSKEY Resource Record
DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets (RRsets). The public keys are stored in DNSKEY resource records and are used in the DNSSEC authentication process described in [RFC4035]: A zone signs its authoritative RRsets by using a private key and stores the corresponding public key in a DNSKEY RR. A resolver can then use the public key to validate signatures covering the RRsets in the zone, and thus to authenticate them.
2.1.1. The Flags Field
Bit 7 of the Flags field is the Zone Key flag. If bit 7 has value 1, then the DNSKEY record holds a DNS zone key, and the DNSKEY RR's owner name MUST be the name of a zone. If bit 7 has value 0, then the DNSKEY record holds some other type of DNS public key and MUST NOT be used to verify RRSIGs that cover RRsets.
5. The DS Resource Record
The DS Resource Record refers to a DNSKEY RR and is used in the DNS DNSKEY authentication process. A DS RR refers to a DNSKEY RR by storing the key tag, algorithm number, and a digest of the DNSKEY RR. Note that while the digest should be sufficient to identify the public key, storing the key tag and key algorithm helps make the identification process more efficient. By authenticating the DS record, a resolver can authenticate the DNSKEY RR to which the DS record points. The key authentication process is described in [RFC4035].
1.1.1. ZSK と KSK
DNSSECを調べはじめたら、目にするようになったが、納得できる説明が簡単には見当たらない。
RFCを読むしかなさそう。まとめ ->/ZSK+KSK
RRSIGに署名する鍵は攻撃にさらされるので、短期間(3ヶ月?)で取り替えることが望ましいが、 そうすると上位サーバに登録するDSも取り替える必要が生じて、上位に負担がかかる。
そこでzone dataの署名に使う鍵(ZSK)とZSKを署名する鍵(KSK)に分けたらどうか、というのが出発点らしい。