MoinQ:

1. DNSSEC/DNSKEY

DNSSEC検証に用いる公開鍵を格納するためのリソースレコードです。

DNSKEYリソースレコード JPRSの用語辞典 https://jprs.jp/glossary/index.php?ID=0214

参考: http://www.netagent-blog.jp/archives/51489071.html

http://www.simpledns.com/help/v52/index.html?rec_dnskey.htm

DNSKEY-records have the following data elements:

- Flags: "Zone Key" (set for all DNSSEC keys) and "Secure Entry Point" (set for KSK and simple keys).
- Protocol: Fixed value of 3 (for backwards compatibility)
- Algorithm: The public key's cryptographic algorithm.
- Public key: Public key data.

1.1. RFC4034

Abstract

   This document is part of a family of documents that describe the DNS
   Security Extensions (DNSSEC).  The DNS Security Extensions are a
   collection of resource records and protocol modifications that
   provide source authentication for the DNS.  This document defines the
   public key (DNSKEY), delegation signer (DS), resource record digital
   signature (RRSIG), and authenticated denial of existence (NSEC)
   resource records.  The purpose and format of each resource record is
   described in detail, and an example of each resource record is given.

2. The DNSKEY Resource Record

   DNSSEC uses public key cryptography to sign and authenticate DNS
   resource record sets (RRsets).  The public keys are stored in DNSKEY
   resource records and are used in the DNSSEC authentication process
   described in [RFC4035]: A zone signs its authoritative RRsets by
   using a private key and stores the corresponding public key in a
   DNSKEY RR.  A resolver can then use the public key to validate
   signatures covering the RRsets in the zone, and thus to authenticate
   them.

2.1.1. The Flags Field

   Bit 7 of the Flags field is the Zone Key flag.  If bit 7 has value 1,
   then the DNSKEY record holds a DNS zone key, and the DNSKEY RR's
   owner name MUST be the name of a zone.  If bit 7 has value 0, then
   the DNSKEY record holds some other type of DNS public key and MUST
   NOT be used to verify RRSIGs that cover RRsets.

5. The DS Resource Record

   The DS Resource Record refers to a DNSKEY RR and is used in the DNS
   DNSKEY authentication process.  A DS RR refers to a DNSKEY RR by
   storing the key tag, algorithm number, and a digest of the DNSKEY RR.
   Note that while the digest should be sufficient to identify the
   public key, storing the key tag and key algorithm helps make the
   identification process more efficient.  By authenticating the DS
   record, a resolver can authenticate the DNSKEY RR to which the DS
   record points.  The key authentication process is described in
   [RFC4035].

1.1.1. ZSK と KSK

DNSSECを調べはじめたら、目にするようになったが、納得できる説明が簡単には見当たらない。

RRSIGに署名する鍵は攻撃にさらされるので、短期間(3ヶ月?)で取り替えることが望ましいが、 そうすると上位サーバに登録するDSも取り替える必要が生じて、上位に負担がかかる。

そこでzone dataの署名に使う鍵(ZSK)とZSKを署名する鍵(KSK)に分けたらどうか、というのが出発点らしい。

MoinQ: DNS/DNSSEC/DNSKEY (last edited 2023-06-25 21:57:00 by ToshinoriMaeno)