Confirmed users
299
edits
Security/DNSSEC-TLS: Difference between revisions
→Verifying a DNSSEC Chain
No edit summary |
|||
| Line 34: | Line 34: | ||
In theory, the DNSKEYs of TLDs could be cached by the client, meaning only everything up to the DS and corresponding RRSIG for mozilla.org need be sent. This could limit the number of records to 8 in normal operation (using ZSKs and KSKs). This could operate as follows: | In theory, the DNSKEYs of TLDs could be cached by the client, meaning only everything up to the DS and corresponding RRSIG for mozilla.org need be sent. This could limit the number of records to 8 in normal operation (using ZSKs and KSKs). This could operate as follows: | ||
# Verify wiki.mozilla.org A record using mozilla.org ZSK (requires the A and corresponding RRSIG records and the ZSK DNSKEY record) | |||
# Verify ZSK from step 1 using KSK (requires in addition a DNSKEY record and the RRSIG record for the ZSK). | |||
# Verify the KSK using mozilla.org's DS record (requires in addition the DS and corresponding RRSIG record, as well as the cached .org DNSKEY (and the RRSIG for the KSK, I think)) | |||
From there, we have already verified .org, so wiki.mozilla.org has been verified using a total of 8 transmitted records. From the trace, this reduces the data sent from 3832 to 1280 bytes. The amount of data required will vary by site (by domain name), but it will probably be in the range of 1K. Note: the TLS server hello from wiki.mozilla.org is 1063 bytes (sent in 1 packet). Adding the 1K of DNSSEC messages to this would fit in 1 more packet. | From there, we have already verified .org, so wiki.mozilla.org has been verified using a total of 8 transmitted records. From the trace, this reduces the data sent from 3832 to 1280 bytes. The amount of data required will vary by site (by domain name), but it will probably be in the range of 1K. Note: the TLS server hello from wiki.mozilla.org is 1063 bytes (sent in 1 packet). Adding the 1K of DNSSEC messages to this would fit in 1 more packet. | ||