Skip to content

Dnssec

← Back to all decks

16 cards — 🟢 3 easy | 🟡 4 medium | 🔴 3 hard

🟢 Easy (3)

1. What is DNSSEC and what problem does it solve?

Show answer DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that responses have not been tampered with. It prevents DNS spoofing/cache poisoning attacks where an attacker returns forged DNS responses to redirect traffic to malicious servers.

2. How do you check if a domain has DNSSEC enabled?

Show answer dig +dnssec — look for RRSIG records in the response and the ad (Authenticated Data) flag. dig DS @parent-ns — check for DS records in the parent zone. Online tools: dnsviz.net visualizes the chain of trust. delv provides detailed validation results.

3. What percentage of domains use DNSSEC and why isn't adoption higher?

Show answer As of 2025, roughly 30% of .com domains are signed, but validation-enabled resolvers cover ~30% of global queries. Adoption is low because DNSSEC adds operational complexity, misconfigurations cause outages, many registrars make it hard to manage DS records, and alternative solutions like DNS-over-HTTPS/TLS address some (but not all) of the same threats.

🟡 Medium (4)

1. How does the DNSSEC chain of trust work?

Show answer The root zone signs the TLD zone's key (DS record), the TLD signs the domain's key, and the domain signs its records. Each level vouches for the next via DS (Delegation Signer) records. The root trust anchor is built into resolvers. If any link in the chain is broken or expired, validation fails.

2. What are the key DNSSEC record types?

Show answer RRSIG: cryptographic signature for a record set. DNSKEY: public key used to verify RRSIG. DS: hash of child zone's DNSKEY stored in parent zone (the trust link). NSEC/NSEC3: proves a record does NOT exist (authenticated denial of existence). These records are added alongside normal DNS records.

3. What are the challenges of deploying DNSSEC?

Show answer 1) Key management complexity (rotation, emergency rollover).
2) Larger DNS responses (signatures add bytes, may exceed UDP 512 limit — requires EDNS0).
3) Zone walking with NSEC reveals all records.
4) Operational risk — misconfigurations make the domain unreachable for validating resolvers.
5) Not all registrars support DS record management.

4. What is NSEC3 and why was it introduced?

Show answer NSEC (Next Secure) proves a record does not exist but allows "zone walking" — enumerating all records by following NSEC chains. NSEC3 replaces plaintext names with hashed names, preventing enumeration while still proving non-existence. NSEC3 adds computational overhead and complexity but is standard practice for zones that want to prevent reconnaissance.

🔴 Hard (3)

1. What is the difference between KSK and ZSK?

Show answer KSK (Key Signing Key) signs the DNSKEY record set and is referenced by the parent zone's DS record. It is rolled infrequently (yearly) because changing it requires updating the parent. ZSK (Zone Signing Key) signs all other record sets and is rolled more frequently (monthly/quarterly). Separating them limits the blast radius of key compromise.

2. What are common DNSSEC failure modes?

Show answer 1) Expired signatures (RRSIG past validity period) — most common, caused by failed re-signing.
2) Missing DS record in parent zone after key rollover.
3) Algorithm mismatch between DNSKEY and RRSIG.
4) Clock skew on resolvers (signatures are time-bound).
5) NSEC walking exposing zone contents (use NSEC3 to mitigate).

3. How do you perform a DNSSEC key rollover safely?

Show answer For ZSK: pre-publish the new key, wait for TTL, start signing with new key, remove old key. For KSK: publish new DNSKEY, submit new DS to parent registrar, wait for parent propagation, remove old DNSKEY. Always overlap old and new keys during transition. Automated tools: BIND dnssec-keymgr, Knot KASP, or cloud-managed DNSSEC handles this automatically.