Security/DNSSEC-TLS/Background

From MozillaWiki
< Security‎ | DNSSEC-TLS
Revision as of 21:58, 27 June 2011 by Dkeeler (talk | contribs) (Created page with "This page contains background information on TLS and DNSSEC. More comprehensive information can be found elsewhere. ==Background== TLS sessions require a chain of trust to auth...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This page contains background information on TLS and DNSSEC. More comprehensive information can be found elsewhere.

Background

TLS sessions require a chain of trust to authenticate the server to the client. Currently this is achieved through a series of PKIX certificates that link the server's certificate to a trusted root certificate stored by the client. Trusted root certificates are issued by Certificate Authorities. Currently, no technical mechanism prevents any authority from signing a certificate for any domain name.

DNSSEC is a method of authenticating DNS records that also uses a chain of trust. In the case of DNSSEC, the trust structure is identical to the DNS hierarchy. For example, only the entity in charge of .com can sign the record that authenticates example.com, and only the (single) entity in charge of the (single) root can sign the record that authenticates .com.

To validate a DNS record, its RRSIG record and corresponding DNSKEY must be obtained. If the signature checks out (using the key), then the key record must be checked (recursively). This process eventually arrives at a key signing key for a given level in the DNS hierarchy. To go up the hierarchy, the DS record for the level must be authenticated by a DNSKEY in the next level up. If that succeeds, then the process continues (i.e. the DNSKEY in the next level up must be authenticated, and so forth). Eventually the root of trust is arrived at, whereupon the original DNS record has been validated.

Retrieved from "https://wiki.allizom.org/index.php?title=Security/DNSSEC-TLS/Background&oldid=323073"