DNS Security
微討論 + DNSSEC 簡介
複習一下 DNS

user
nameserver(s)
resolver
1.1.1.1
8.8.8.8
DNS zone

DNS 訊息
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 300 IN A 216.58.200.238
有答案:
去問別人:
;; QUESTION SECTION:
;google.com. IN A
;; AUTHORITY SECTION:
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
;; ADDITIONAL SECTION:
l.gtld-servers.net. 172800 IN A 192.41.162.30
b.gtld-servers.net. 172800 IN A 192.33.14.30
c.gtld-servers.net. 172800 IN A 192.26.92.30
type
resource record (RR)
type
resource record (RR)
resource record (RR)
resource record (RR)
DNS 訊息內容
// response from root zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com. IN A
;; AUTHORITY SECTION:
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20210427170000 20210414160000 14631 . jwahsbkHuNHBLp9YgL9d4EVhLmtgBaTHHyKZAla3//yfTJZSdjzasjlr jQztqmJE/eESu812+7DG7S1LFfs8TMoyENlaxUoBuqB5PVAec2B2aiW2 udE8MSPUJ55VaOEAPIg8WWj5U81b8L28xWrnpCKTuP+nyKrOihGHHc5j FIByd9537+uUzwsCjKgQCEjllYb5n/jLvbHypqywkDwvboL5jV/Amo8h kmGBcm3BwKVoa44l56mHdwU29g2mUwErbzE5ac6SHcsWchQy2JSzSu7F cFXUDXRBJd1PPTiiKZZHJR/XhOMIy19Y5zsUsTcqpgKrIvTQBvbf1+Mt ZLq8Gw==
;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800 IN A 192.5.6.30
b.gtld-servers.net. 172800 IN A 192.33.14.30
c.gtld-servers.net. 172800 IN A 192.26.92.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
h.gtld-servers.net. 172800 IN A 192.54.112.30
i.gtld-servers.net. 172800 IN A 192.43.172.30
j.gtld-servers.net. 172800 IN A 192.48.79.30
k.gtld-servers.net. 172800 IN A 192.52.178.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
m.gtld-servers.net. 172800 IN A 192.55.83.30
// ==============================================================================================================
// response from .com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com. IN A
;; AUTHORITY SECTION:
cloudflare.com. 172800 IN NS ns3.cloudflare.com.
cloudflare.com. 172800 IN NS ns5.cloudflare.com.
cloudflare.com. 172800 IN NS ns4.cloudflare.com.
cloudflare.com. 172800 IN NS ns6.cloudflare.com.
cloudflare.com. 172800 IN NS ns7.cloudflare.com.
cloudflare.com. 86400 IN DS 2371 13 2 32996839A6D808AFE3EB4A795A0E6A7A39A76FC52FF228B22B76F6D6 3826F2B9
cloudflare.com. 86400 IN RRSIG DS 8 2 86400 20210421041721 20210414030721 58540 com. AbNlrffLewRXntWb0GEkNsUSRWisQV8lVagZuD+RUpcsTjFPd/fkQInM XKfp6nSMB632tfceGPE3C1mr4jxR4lyV93O+MexAe1bEmSS5s1ZhX3Sb JWXkh/cZlS6yCDGBmlJHbgfwmVQ0vIvitfOw4VlxcAV+FYsRdF3C/ClT Dr8KQ1QY0kKHdp8TeLbVSkSmdm2wYBhi3kIcoomdsFkZHQ==
;; ADDITIONAL SECTION:
ns3.cloudflare.com. 172800 IN A 162.159.0.33
ns3.cloudflare.com. 172800 IN A 162.159.7.226
ns5.cloudflare.com. 172800 IN A 162.159.2.9
ns5.cloudflare.com. 172800 IN A 162.159.9.55
ns4.cloudflare.com. 172800 IN A 162.159.1.33
ns4.cloudflare.com. 172800 IN A 162.159.8.55
ns6.cloudflare.com. 172800 IN A 162.159.3.11
ns6.cloudflare.com. 172800 IN A 162.159.5.6
ns7.cloudflare.com. 172800 IN A 162.159.4.8
ns7.cloudflare.com. 172800 IN A 162.159.6.6
// ==============================================================================================================
// response from cloudflare.com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com. IN A
;; ANSWER SECTION:
community.cloudflare.com. 300 IN A 104.16.133.229
community.cloudflare.com. 300 IN A 104.16.132.229
community.cloudflare.com. 300 IN RRSIG A 13 3 300 20210416013846 20210413233846 34505 cloudflare.com. JMiz99Buhxb6QbD51D/ysTzsG2Rz5ifr3lRo48PkOqLjt1Az37whx8AO NmA4kZAED5hJh3dZfZbNcoTtIdMnwg==
// ==============================================================================================================
DNS 的發展很早
明文傳輸 & 沒有簽章
1987 年
RFC 1034
RFC 1035
明文傳輸
隱私
隱含的安全性問題
看得到問了哪些 domain
沒有簽章
沒有簽章的話,沒辦法確定傳訊息的對象是誰
複習一下典型的數位簽章

用公鑰解密 → 解得開、內容沒錯 → 嗯是由對應的私鑰加密的
可以確保 1. 訊息沒有漏或被竄改 2. 訊息是有私鑰的人發的
有私鑰的人
有可能不是我們以為的那個人
可能一開始公鑰就錯了
公鑰要有人背書
要有別人對這個公鑰做簽章
別人可能也不能相信
要有別人對別人的公鑰做簽章
這樣下去沒完沒了
要找到一個可以相信的人
他簽的公鑰我們都相信
他簽的公鑰簽的公鑰我們也相信
他簽的公鑰簽的公鑰簽的公鑰我們也相信
...
這就是信任鏈
DNS spoofing/cache poisoning
port number?
以前很多用固定的同一個
現在每個 request 隨機
request ID number?
以前可能數字遞增
現在也要亂
resolver
nameserver
DNS spoofing/cache poisoning
理論上 user 跟 resolver 之間的溝通也不安全

中國的防火長城
有用 dns spoofing
DNSSEC (DNS Security Extensions)
有一堆 RFC,大約在 2000 年左右開始發布
是 DNS 的擴充
可以解決 resolver 跟 nameserver 間的信任問題
(雖然現在大多數網站還是沒有使用)
nameserver 除了回傳紀錄之外
同時回傳紀錄的簽章
key 由 parent zone 背書

RRSIG record 就是簽章
// response from root zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com. IN A
;; AUTHORITY SECTION:
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20210427170000 20210414160000 14631 . jwahsbkHuNHBLp9YgL9d4EVhLmtgBaTHHyKZAla3//yfTJZSdjzasjlr jQztqmJE/eESu812+7DG7S1LFfs8TMoyENlaxUoBuqB5PVAec2B2aiW2 udE8MSPUJ55VaOEAPIg8WWj5U81b8L28xWrnpCKTuP+nyKrOihGHHc5j FIByd9537+uUzwsCjKgQCEjllYb5n/jLvbHypqywkDwvboL5jV/Amo8h kmGBcm3BwKVoa44l56mHdwU29g2mUwErbzE5ac6SHcsWchQy2JSzSu7F cFXUDXRBJd1PPTiiKZZHJR/XhOMIy19Y5zsUsTcqpgKrIvTQBvbf1+Mt ZLq8Gw==
;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800 IN A 192.5.6.30
b.gtld-servers.net. 172800 IN A 192.33.14.30
c.gtld-servers.net. 172800 IN A 192.26.92.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
h.gtld-servers.net. 172800 IN A 192.54.112.30
i.gtld-servers.net. 172800 IN A 192.43.172.30
j.gtld-servers.net. 172800 IN A 192.48.79.30
k.gtld-servers.net. 172800 IN A 192.52.178.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
m.gtld-servers.net. 172800 IN A 192.55.83.30
// ==============================================================================================================
// response from .com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com. IN A
;; AUTHORITY SECTION:
cloudflare.com. 172800 IN NS ns3.cloudflare.com.
cloudflare.com. 172800 IN NS ns5.cloudflare.com.
cloudflare.com. 172800 IN NS ns4.cloudflare.com.
cloudflare.com. 172800 IN NS ns6.cloudflare.com.
cloudflare.com. 172800 IN NS ns7.cloudflare.com.
cloudflare.com. 86400 IN DS 2371 13 2 32996839A6D808AFE3EB4A795A0E6A7A39A76FC52FF228B22B76F6D6 3826F2B9
cloudflare.com. 86400 IN RRSIG DS 8 2 86400 20210421041721 20210414030721 58540 com. AbNlrffLewRXntWb0GEkNsUSRWisQV8lVagZuD+RUpcsTjFPd/fkQInM XKfp6nSMB632tfceGPE3C1mr4jxR4lyV93O+MexAe1bEmSS5s1ZhX3Sb JWXkh/cZlS6yCDGBmlJHbgfwmVQ0vIvitfOw4VlxcAV+FYsRdF3C/ClT Dr8KQ1QY0kKHdp8TeLbVSkSmdm2wYBhi3kIcoomdsFkZHQ==
;; ADDITIONAL SECTION:
ns3.cloudflare.com. 172800 IN A 162.159.0.33
ns3.cloudflare.com. 172800 IN A 162.159.7.226
ns5.cloudflare.com. 172800 IN A 162.159.2.9
ns5.cloudflare.com. 172800 IN A 162.159.9.55
ns4.cloudflare.com. 172800 IN A 162.159.1.33
ns4.cloudflare.com. 172800 IN A 162.159.8.55
ns6.cloudflare.com. 172800 IN A 162.159.3.11
ns6.cloudflare.com. 172800 IN A 162.159.5.6
ns7.cloudflare.com. 172800 IN A 162.159.4.8
ns7.cloudflare.com. 172800 IN A 162.159.6.6
// ==============================================================================================================
// response from cloudflare.com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com. IN A
;; ANSWER SECTION:
community.cloudflare.com. 300 IN A 104.16.133.229
community.cloudflare.com. 300 IN A 104.16.132.229
community.cloudflare.com. 300 IN RRSIG A 13 3 300 20210416013846 20210413233846 34505 cloudflare.com. JMiz99Buhxb6QbD51D/ysTzsG2Rz5ifr3lRo48PkOqLjt1Az37whx8AO NmA4kZAED5hJh3dZfZbNcoTtIdMnwg==
// ==============================================================================================================
RRSIG 也是一筆紀錄 (RR)
DNSSEC 新增了一些 RR 的 type
先看最後面 cloudflare.com 的 response
// response from cloudflare.com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com. IN A
;; ANSWER SECTION:
community.cloudflare.com. 300 IN A 104.16.133.229
community.cloudflare.com. 300 IN A 104.16.132.229
community.cloudflare.com. 300 IN RRSIG A 13 3 300 20210416013846 20210413233846 34505 cloudflare.com. JMiz99Buhxb6QbD51D/ysTzsG2Rz5ifr3lRo48PkOqLjt1Az37whx8AO NmA4kZAED5hJh3dZfZbNcoTtIdMnwg==
// ==============================================================================================================
有兩個 key
而且也有 RRSIG
要驗證這個 RRSIG
會需要另一個 request 去拿 key
// response from cloudflare.com zone ==============================================================================================================
;; QUESTION SECTION:
;cloudflare.com. IN DNSKEY
;; ANSWER SECTION:
cloudflare.com. 3600 IN DNSKEY 257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ== (key id: 2371)
cloudflare.com. 3600 IN DNSKEY 256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA== (key id: 34505)
cloudflare.com. 3600 IN RRSIG DNSKEY 13 2 3600 20210514040914 20210315040914 2371 cloudflare.com. jj+c/7Y67inA4heXnNUKBNOGI+B8Foy3wtcsgK0wXgX0ZlRhsyvc6Eys oJowpHvrz2/PCXDZD/z0yZ6eXEFADg==
// ==============================================================================================================
上面兩筆 A record 的簽章
上面兩筆 DNSKEY record 的簽章
兩個 key
// response from cloudflare.com zone ==============================================================================================================
;; QUESTION SECTION:
;cloudflare.com. IN DNSKEY
;; ANSWER SECTION:
cloudflare.com. 3600 IN DNSKEY 257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ== (key id: 2371)
cloudflare.com. 3600 IN DNSKEY 256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA== (key id: 34505)
cloudflare.com. 3600 IN RRSIG DNSKEY 13 2 3600 20210514040914 20210315040914 2371 cloudflare.com. jj+c/7Y67inA4heXnNUKBNOGI+B8Foy3wtcsgK0wXgX0ZlRhsyvc6Eys oJowpHvrz2/PCXDZD/z0yZ6eXEFADg==
// ==============================================================================================================
257 是 key-signing key
256 是 zone-signing key
key-signing key 用來驗證 DNSKEY 的 RRSIG
zone-signing key 用來驗證其它 RRSIG
稍微整理一下
key-signing key 拿來驗證 DNSKEY record 的 RRSIG
zone-signing key 拿來驗證其它的 RRSIG
現在有兩個 RRSIG record
A record 有 RRSIG
DNSKEY record 也有 RRSIG
兩個 DNSKEY record
- key-signing key
- zone-signing key
所以
- A record 由 zone-signing key 背書
- zone-signing key 由 key-signing key 背書
要怎麼相信 key-signing key?
parent zone 給的 DS record
是 child zone 的 key-signing key 的 hash 值
// response from .com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com. IN A
;; AUTHORITY SECTION:
cloudflare.com. 172800 IN NS ns3.cloudflare.com.
cloudflare.com. 172800 IN NS ns5.cloudflare.com.
cloudflare.com. 172800 IN NS ns4.cloudflare.com.
cloudflare.com. 172800 IN NS ns6.cloudflare.com.
cloudflare.com. 172800 IN NS ns7.cloudflare.com.
cloudflare.com. 86400 IN DS 2371 13 2 32996839A6D808AFE3EB4A795A0E6A7A39A76FC52FF228B22B76F6D6 3826F2B9
cloudflare.com. 86400 IN RRSIG DS 8 2 86400 20210421041721 20210414030721 58540 com. AbNlrffLewRXntWb0GEkNsUSRWisQV8lVagZuD+RUpcsTjFPd/fkQInM XKfp6nSMB632tfceGPE3C1mr4jxR4lyV93O+MexAe1bEmSS5s1ZhX3Sb JWXkh/cZlS6yCDGBmlJHbgfwmVQ0vIvitfOw4VlxcAV+FYsRdF3C/ClT Dr8KQ1QY0kKHdp8TeLbVSkSmdm2wYBhi3kIcoomdsFkZHQ==
;; ADDITIONAL SECTION:
ns3.cloudflare.com. 172800 IN A 162.159.0.33
ns3.cloudflare.com. 172800 IN A 162.159.7.226
ns5.cloudflare.com. 172800 IN A 162.159.2.9
ns5.cloudflare.com. 172800 IN A 162.159.9.55
ns4.cloudflare.com. 172800 IN A 162.159.1.33
ns4.cloudflare.com. 172800 IN A 162.159.8.55
ns6.cloudflare.com. 172800 IN A 162.159.3.11
ns6.cloudflare.com. 172800 IN A 162.159.5.6
ns7.cloudflare.com. 172800 IN A 162.159.4.8
ns7.cloudflare.com. 172800 IN A 162.159.6.6
// response from cloudflare.com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com. IN A
;; ANSWER SECTION:
community.cloudflare.com. 300 IN A 104.16.133.229
community.cloudflare.com. 300 IN A 104.16.132.229
community.cloudflare.com. 300 IN RRSIG A 13 3 300 20210416013846 20210413233846 34505 cloudflare.com. JMiz99Buhxb6QbD51D/ysTzsG2Rz5ifr3lRo48PkOqLjt1Az37whx8AO NmA4kZAED5hJh3dZfZbNcoTtIdMnwg==
再整理一下
- A record 由 child zone 的 zone-signing key 背書
- child zone 的 zone-signing key 由 key-signing key 背書
- child zone 的 key-signing key 由 parent zone 的 DS record 背書
- parent zone 的 DS record 由 parent zone 的 zone-signing key 背書
- parent zone 的 zone-signing key 由 parent zone 的 key-signing key 背書
- parent zone 的 key-signing key 由 parent zone 的 parent zone 的 DS record 背書
- ...
從 root nameserver 開始的話
resolver 要預設定 root key-signing key 的 DS record
→ 可以相信 root zone 的 key-signing key
→ 可以相信 root zone 的 DNSKEY record (zone-signing key)
→ 可以相信 root zone 的 DS record (跟 NS record)
→ 可以相信 .com 的 key-signing key
→ 可以相信 .com 的 DNSKEY record (zone-signing key)
→ 可以相信 .com 的 DS record (跟 NS record)
→ 可以相信 cloudflare.com 的 key-signing key
→ 可以相信 cloudflare.com 的 DNSKEY record (zone-signing key)
→ 可以相信 cloudflare.com 的 A record
如果沒資料的話 要簽什麼
NSEC 或 NSEC3 Record
// response from cloudflare.com zone
;; QUESTION SECTION:
;ttjsioj90jkljfsgr.cloudflare.com. IN A
;; AUTHORITY SECTION:
cloudflare.com. 300 IN SOA ns3.cloudflare.com. dns.cloudflare.com. 2037003995 10000 2400 604800 300
ttjsioj90jkljfsgr.cloudflare.com. 300 IN NSEC \000.ttjsioj90jkljfsgr.cloudflare.com. RRSIG NSEC
cloudflare.com. 300 IN RRSIG SOA 13 2 300 20210416052852 20210414032852 34505 cloudflare.com. Em2EYGHAQI69NYZYQtO2A/Th6C8FTLEKu6VfWrvXNNHufkazWfjZw7JO 9ALBZAK3Y7+sFNXoL4xhh7hVB40KaA==
ttjsioj90jkljfsgr.cloudflare.com. 300 IN RRSIG NSEC 13 3 300 20210416052852 20210414032852 34505 cloudflare.com. xXA4glHt7T38O5JNT12oe9EHy3BhHuxLabzHqSSNpD4XMY9iU0fr4iLs k/kkfl4+idUGqXTu1T7ShLsY1mUS+A==
// response from cloudflare.com zone
;; QUESTION SECTION:
;google.com. IN A
;; AUTHORITY SECTION:
google.com. 172800 IN NS ns2.google.com.
google.com. 172800 IN NS ns1.google.com.
google.com. 172800 IN NS ns3.google.com.
google.com. 172800 IN NS ns4.google.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20210422042410 20210415031410 58540 com. fePohSpUOL9K9eCljlIgjwl8TiSbS1ahDo0B1FI9aIIZA3u1AuzKQgzK yRxC56l4SXq5oLvuUe8Xti4/G8ARewoTTNtgNN0KWIj7PKCNdLDSQYtu nF3HoZZLtoKomKgq6YXbdwt9+6Qern+as2SAI2pWvPPjsGVx0400tCNY C1YgPGOuMomEm/Fg/aWwW6uv/a+k7SJPSKIvJ0CLHiCmuw==
S84BDVKNH5AGDSI7F5J0O3NPRHU0G7JQ.com. 86400 IN NSEC3 1 1 0 - S84BUO64GQCVN69RJFUO6LVC7FSLUNJ5 NS DS RRSIG
S84BDVKNH5AGDSI7F5J0O3NPRHU0G7JQ.com. 86400 IN RRSIG NSEC3 8 2 86400 20210419042155 20210412031155 58540 com. q4Vpx7gnbxsb3HXnw9FCe203ZHl6pBDgAgVDQK3lA9eFh1XCGUbjcpwQ gjZbb7OfuSBa2Bee9J/YRMpUw11D5uXSllNfoSjdWCZvQPSKtGLVEH72 32VA1nikaRTIZEe4FDIKWjMrJJpKSYDZIUtMmg66KnQ+RN8TPTvlhUt4 NkGiIWeqwHP5eY4HhuCDaLezn4T640BB16usghh5AO+G5g==
DNSSEC 線上解析器

DNSSEC Deployment
root zone 有支援
top-level domain 也絕大多數都有支援
絕大多數的網站都沒有啟用
DNSSEC 的機制可以拿來保證各種跟 domain 有關的紀錄
跟找 ip 沒有直接關聯的東西也可以
例如 TLS 的憑證
DANE (DNS-Based Authentication of Named Entities)
RFC 6698、RFC 7671
(「理論上」這套機制可以取代 CA 的角色)
DNSSEC 不能解決的問題
訊息未加密 & last mile

"last mile"
關於 last mile 的解決辦法
用 tls/https 的隧道來傳遞 dns 訊息
DNS over TLS (DoT) (2016/05 RFC 7858、2018/03 RFC 8310)
DNS over HTTPS (DoH) (2018/10 RFC 8484)

"last mile"
resolver 支援度

小總結
原始 DNS 協定沒有加密訊息、沒有簽章
後來 DNSSEC 加上了 nameserver 的簽章
這套機制不錯
不過他主要是在保護 resolver 不要被騙
沒有處理 user 跟 resolver 之間這段
目前也沒有什麼網站有啟用
之前還有其它一些增加 DNS 安全性的做法,可能沒下文?
last mile 要解決的話可能還是要用 DNS over TLS/HTTPS
參考資料
DNS Security
By luyunghsien
DNS Security
- 529