Trust Anchor

From DNSSEC-Tools
Jump to: navigation, search

A trust anchor is a DNSKEY (usually a KSK) that is placed into a validating resolver so that the validator can cryptographically validate the results for a given request back to a known public key (the trust anchor).

A Validation Example

For example, consider trying to validate "www.dnssec-tools.org". If you request the A record for www.dnssec-tools.org when you've also specified you wish DNSSEC information returned with the results using the DO bit (this is done with the +dnssec flag to dig) you'd get the following answer:

 dig +dnssec www.dnssec-tools.org a
 
 ; <<>> DiG 9.4.1-P1 <<>> +dnssec www.dnssec-tools.org a
 ;; global options:  printcmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48871
 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5
 
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags: do; udp: 4096
 ;; QUESTION SECTION:
 ;www.dnssec-tools.org.          IN      A
 
 ;; ANSWER SECTION:
 www.dnssec-tools.org.   14400   IN      A       66.35.250.210
 www.dnssec-tools.org.   14400   IN      RRSIG   A 5 3 14400 20080427155047 20080328155047 45492 dnssec-tools.org. iWDSpOPknhSkJzVyexRPc7VfJGvMNVzcnzI/c77rAve4877QDEPuDL73 bkcrJoBHyd0JZaKsl5kaZ0oVWyuzptnCaMjBQ0Af5bLp+XXEp8nFxaIH Me55s28ucFDqfQiCcbgaexL9T07LHzh28C7UqSc3gogmyVn3TpvImYEO UPk=
 
 ;; AUTHORITY SECTION:
 dnssec-tools.org.       86400   IN      NS      ns4.dnssec-tools.org.
 dnssec-tools.org.       86400   IN      NS      ns1.dnssec-tools.org.
 dnssec-tools.org.       86400   IN      RRSIG   NS 5 2 86400 20080427155047 20080328155047 45492 dnssec-tools.org. D8yzB8PHWZ4HpJDOtuKz0OjfJyqn5yTVCUfx1VvZAyzx/4CdNSIIncAI rqQjDtWfrv9BTptnzvO6x33HhUqfyXF9IgXjqykE/NhZE7nVI+kvNx75 xskvXF0yEuWEgIe0LwbC4C2FTU8WyZ9f1EXaOjaSJFTmp+Otl1KYtCCh +Pc=
 
 ;; ADDITIONAL SECTION:
 ns1.dnssec-tools.org.   86400   IN      A       168.150.236.43
 ns4.dnssec-tools.org.   86400   IN      A       76.216.12.217
 ns1.dnssec-tools.org.   86400   IN      RRSIG   A 5 3 86400 20080427155047 20080328155047 45492 dnssec-tools.org. pz9n7tLBEmfZJ+Rw+ekXEO24q5C2NT1SJ72PfrOKRE6J58SkmVvysP04 XuF20IbRidshGgxYjtG+jaKUZKU1KBvHMpd8wPm3YExar+op9HVJMHJX Pow+Sd1CSITfrCL9TM1agVfjn31/7+DQSwXs2bDNx3GJL/F/WNyzYwML a+w=
 ns4.dnssec-tools.org.   86400   IN      RRSIG   A 5 3 86400 20080427155047 20080328155047 45492 dnssec-tools.org. m68GY9JI+VmoO9wR0gD+Ml5xa8ONeSeQogkAAjZFMJqvWiUj5KNIZDgA mTGJ1hYY1DnjlPIfKIivuoqOXZbRDdSj75RmlVBjnZ5bJhAT1VPLIZb+ 08FeUVErZLb+YK1Vklyj9brKN79JMamYu0l6VTX4v6VIk5+qV1jYATuv v40=
 
 ;; Query time: 1 msec
 ;; SERVER: 168.150.236.43#53(168.150.236.43)
 ;; WHEN: Fri Apr 18 14:34:26 2008
 ;; MSG SIZE  rcvd: 837

Wow. That's a lot of information. Especially since all you wanted was what is colored in blue. The really long digital signature strings, though, can be used to ensure that the information you wanted (in blue) was in fact the correct data. But to do this, the keys used to sign the data are needed so that you can check the signatures using those keys. So, we'd actually need to do another query to get the key used to sign the data! Off we go again and try to collect the DNSKEY from the domain used to sign the data. This would normally be contained in the "dnssec-tools.org" domain so we'll intelligently start there:

 ; <<>> DiG 9.4.1-P1 <<>> +dnssec dnssec-tools.org dnskey
 ;; global options:  printcmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51965
 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 3, ADDITIONAL: 5
   
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags: do; udp: 4096
 ;; QUESTION SECTION:
 ;dnssec-tools.org.              IN      DNSKEY
   
 ;; ANSWER SECTION:
 dnssec-tools.org.       86400   IN      DNSKEY  257 3 5 AwEAAcUa48KRuPrTSYBF1HkLbM+KLQYc3Mwt/LFKLkahrZhs4JGogD3h p9n6hlxG+1vTTRWJlCSobsPAwF1ApWouCGPNcRcJnAIqgQzXNfA6K/h8 nabRR6T61fm2ghI0pX1nL3CXoCWKr7eJaJ/E7fqDOLhoQZT6iGtbNbyY 7QP0PswrmUM4pnXwD7cPc3w9EtwGVyU1NEMipV/JABdqTPWdP6GWvdGy Y5Bp2Cvp9PSbwVntm2AqV+bXOBQ6XB+H5fhg2SMWd9SstviJELS0i5vI V3zaLaj3LLB+BG23hHzpYXHulK+5M7T3cudw7BhD50w3mF4+hrMO7jQc BukaWNK0oXsymkVMRdwqvgWOikXwpOKQtR9bgB09NubE8Xqopn7Fve9A 1nOKR8x14VfCERRGZPQuybEEywQJcGfdc3THnIPaYevx1j5jUlEQxKVO 7Q0ou6Hg/0/LNhedqIysPnRqx3BuhfMEp2aRjZArXioRJRqfZckzKfJR nqODr8r8EtC1J6sdLUWOiayJbmIm4y/m7IXPTh1Q2od8uGFKNKN1dpiz i5fes6Camg7QP2Bx98ScsMHQC4jntTLJYgs6g5AcL0MkXJdHk7fNQAeg FU0oIL3CBrXSQrIxxGTTdeIca0pURTfWiP9coLLYOItCdxgWLRbR6TGD t5+NBILQtCp0rOvf
 dnssec-tools.org.       86400   IN      DNSKEY  257 3 5 AwEAAc8/BYFAN1g+P9SxzDbn4V+xbt6Dc/h6lq3yg40D1S1lOYCMbMWY h+7a5Z6hzzW3Wnm5+xqgpvAMzS2KYklq74xVNn8lw7qulzL5YTdU5yp9 5m4AC+1NbwPoZZXEEvmcyvXPjVBXj+mwY0q4NyWZrxYb3YmRFiB3t40c L1l9OxbxnSwrEnP+y0Nr6JYUzg7m6ANh4IHu7VdvYDs54gngE8ekSn5B P2zUDb5U+6uKOwL9ZrPvCS1MrBkQ15ZfqnqjtwIfEwHj0ecUvnzFOqev NyaOVsqyiFfRZpR4FLSY5Es7WzrY7x3pDAovNvQ4rpWIZme930WTVJ2u tv8l8DBdphOby+XN1/xAPhBaSqkCw+QE7oez6A+5PhJDGJMAOc8xgfFF D8j4Rm0dgLIj39UlO4xbVxjfme5WkgQ5pkH1QqURbtgJayaRN87DQi6s issq4JLgYGLV/Ov6lq540gGLTObrqeRWUm+A8IW2jc7hHOFqMStYupVM VvyaD8gLavNuhTqcae0iTEI8eW2C62DTQ/WHOo6aA+cxlNzkIyzHqtmW q2Pk4k61xwQ4r+sJTO3jN9uSy6+Dtbe9fEvI376tXCm5/ItwHa5Me5Wv POs0einj2+eDh+2Az0ErezG77/HPyT+RkV6ecx7XZbuyr+pSyzJUjnm+ wYgx4f/TMZcQjya5
 dnssec-tools.org.       86400   IN      DNSKEY  256 3 5 AwEAAb+YTL+V569scOEHrgJhsy7JXw37iD1114T2ORTrUNdAXjVIilbZ Nfi0hs7jEzqgNTpKM8E1oBzRVRUU2ODemBTMIBGY+bPhuFIdc/NrZUD+ oKgLwxQX4Qrx4J7qvmI+cExz09u9he2VSFTjsDMuzcDj55uzqMbWZit/ Li7vpyvJ
 dnssec-tools.org.       86400   IN      DNSKEY  256 3 5 AwEAAdB3FfdLgL15z9Pmw170Az7Nqu104hQWA2TqT0Fy3MfvzywvVe7R ljBA+90ULFSSg2jUFUV0VxYbYmtJOyEdVhbEpzUrmBq1x4GUsfLX4I2N aymEhNxkQIGi4X3hoz4c86iODSDhBuVbfA4acdJn8le4VFuEWbF5mHtF fafrwjM/
 dnssec-tools.org.       86400   IN      RRSIG   DNSKEY 5 2 86400 20080427155047 20080328155047 45492 dnssec-tools.org. m0wetDz6tFv7Da17tX7gMTIFT5XVFwvL3qG3zXSakWC+FCe09w6bl66i 21HAAu2hUDgF4UpFA7uDKlph/F9JP7QPhCPNGvwp/IIjHkxwnT4mxu36 40nM8S9PCu4J4DJaj+aCTO4jkECAlSf+IthS7m1p/ZFfEnWfPvsUQOl7 N+s=
 dnssec-tools.org.       86400   IN      RRSIG   DNSKEY 5 2 86400 20080427155047 20080328155047 47143 dnssec-tools.org. Xls1RsAPpn/kah5BWImKZXST9GQYtKdr1ndAePNEhxJm1OsBnAI81nj/ lsVx3dK+985RErOS8++BO36fgutneeQ9AU1+Fp1rzw59cgi6h32NbsFx mGcYF/hXvHQQHVOITq8Izs87ULXnPlTMFoSEKnwQ3URfpSiELFm2CvhP nopBGmZsDkZydzPQuK3RSB1uWJyJ1NIP0dHWh0KQfbTmvLNaYd4hSJXc tPZF5U5L0zQ3PKHr+yt7FTq3PvljFSgfU7enKuOg6Ux4PDtyAoJ8lAFN oKMgG+P4DmoZYPUbTiYEhui4s2JdwsOXH6zkbzGCNyCD/VQOa/Sp6+8z 37VYik3d945OxPtWnOoB2s7adowtBvJEoGGJgr9K/GVc+mQ4esNz5eG/ QAjhzhkhpchVUDXtNQ2bbdJ/o3mElFnwT1hNnBAFODRCMOYpJxp7/n/U /Brmv+TkH65aqjhoWLKDKho7bn/Y64RPgGeW8MSV9rF+nzgQQ0CzRItF C08DWGGXLkPGKAbZHGXhrgvG6Olvzx7VHjnjSrX+e8a5iSk3hgflvDoN MvMv5CvNm6t3AF8DZwiDtjAQHo/4T+UGew+Ro0JIhVVuZSCDPLXsYSaZ SvMLFjFW9N7OPhEnr1Q1UBf7RBErm0jDeJINZGytVBqABAA9wwmppQGb Q7QmcUlJ6nM=
 dnssec-tools.org.       86400   IN      RRSIG   DNSKEY 5 2 86400 20080427155047 20080328155047 54556 dnssec-tools.org. cCnzhO3I8OSMvXiQBxnza+8oH7mDvh8eKfPEm5Mk2MqAq9h6xFUTBxUv KouEBBdB8tBZuP2/8700mmr/rc4I/YcnhvCufyVW9cGnXFWcuJbH1cgp Pf3LzGV+bsDXv2f6BlcZzjFt6OqTaLnHsb5RvMCL28SgaOL1kNYvB+Vf 1I9ZrmzfF/knb0LC53Xq0k+tg4P3Vj2m5hOwL4bYqJPuexk1I3fAK080 ofpx5UlNgqd9LhaUKCN12xWL6J2k9KlwdRb9p7hkXql/h3ipbpWOom0P aDtxgR7ziEAh6rwPrxDMUXhQ49Dunft5zw2LaA340VoWTdVtr1M1to/4 1ZAgHsYP+ZWpKPQgeanH13khXjlOJKN00GbmnfEOq0imCkEhQT9HpFGR VJENCs9qxHu5QMQh0esTxDiWNv3lOyFlxZqGmYrAVNYL4q1I1qpsmoZe YBYLP9cuPilwIsSY8eWXMwOEzMclKOFAt9/bIN7iDbNmwHcnlksRMJFs tn9+/jTiFobnT57IRv4YPxmqHni8K2oUXSw3uzEoCQGT282lwbhu7kdv fEUQteTaLNqbwJ2v6fWEz49fX7uqB45M+LDMneSwR2RRYAEA2t6BOWy1 bFmypsEDg1P/V9m8Cd9IZgiCG1TYawQynrMYgDvbQJIZd+OJvJtTsGTY hskdHJkZn/w=
   
 ;; AUTHORITY SECTION:
 dnssec-tools.org.       86400   IN      NS      ns1.dnssec-tools.org.
 dnssec-tools.org.       86400   IN      NS      ns4.dnssec-tools.org.
 dnssec-tools.org.       86400   IN      RRSIG   NS 5 2 86400 20080427155047 20080328155047 45492 dnssec-tools.org. D8yzB8PHWZ4HpJDOtuKz0OjfJyqn5yTVCUfx1VvZAyzx/4CdNSIIncAI rqQjDtWfrv9BTptnzvO6x33HhUqfyXF9IgXjqykE/NhZE7nVI+kvNx75 xskvXF0yEuWEgIe0LwbC4C2FTU8WyZ9f1EXaOjaSJFTmp+Otl1KYtCCh +Pc=
   
 ;; ADDITIONAL SECTION:
 ns1.dnssec-tools.org.   86400   IN      A       168.150.236.43
 ns4.dnssec-tools.org.   86400   IN      A       76.216.12.217
 ns1.dnssec-tools.org.   86400   IN      RRSIG   A 5 3 86400 20080427155047 20080328155047 45492 dnssec-tools.org. pz9n7tLBEmfZJ+Rw+ekXEO24q5C2NT1SJ72PfrOKRE6J58SkmVvysP04 XuF20IbRidshGgxYjtG+jaKUZKU1KBvHMpd8wPm3YExar+op9HVJMHJX Pow+Sd1CSITfrCL9TM1agVfjn31/7+DQSwXs2bDNx3GJL/F/WNyzYwML a+w=
 ns4.dnssec-tools.org.   86400   IN      RRSIG   A 5 3 86400 20080427155047 20080328155047 45492 dnssec-tools.org. m68GY9JI+VmoO9wR0gD+Ml5xa8ONeSeQogkAAjZFMJqvWiUj5KNIZDgA mTGJ1hYY1DnjlPIfKIivuoqOXZbRDdSj75RmlVBjnZ5bJhAT1VPLIZb+ 08FeUVErZLb+YK1Vklyj9brKN79JMamYu0l6VTX4v6VIk5+qV1jYATuv v40=
   
 ;; Query time: 29 msec
 ;; SERVER: 168.150.236.43#53(168.150.236.43)
 ;; WHEN: Fri Apr 18 14:42:09 2008
 ;; MSG SIZE  rcvd: 3297
 

You'll notice that there are more than one DNSKEY returned with that above data set. In particular, only one of those keys signed the data we're interested in. We can find it by doing some analysis (not shown here) on each key to calculate it's key identifier. This should match the number in green from the first query and thus indicates which key we should use to cryptographically verify the signature on the A record we originally asked for.

If that key works and the signature on the A record is valid, then we need to figure out what key made the signature on the DNSKEY we just used. We'd keep doing this process (getting a new key, validating it's signature) until we finally got back to a trust anchor (which is why we started this whole discussion). If the contents of the trust anchor and the contents of the requested DNSKEY match then we know that we've reached a spot where we trust the configured key. Probably because we've verified it's authenticity through some other method (a phone conversation, a newspaper article).

Wheew. Aren't you glad you have tools and libraries to do this for you? All you need to do is properly find and insert the trust anchor once. Tools like donuts help the zone administrators verify they have valid zone data, including DNSSEC signatures and keys that actually work. Libraries like libval help your appilcation do this automatically without the developer having to think about it. Tools like Trustman can even be used to monitor for key changes in a zone and automatically update your configured trust anchors!

Personal tools