You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/dns/dnssec.md
+17-3Lines changed: 17 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ author: greg-lindsay
5
5
manager: KumuD
6
6
ms.service: azure-dns
7
7
ms.topic: article
8
-
ms.date: 10/09/2024
8
+
ms.date: 10/22/2024
9
9
ms.author: greglin
10
10
---
11
11
@@ -47,7 +47,11 @@ Resource Record Signatures (RRSIGs) and other cryptographic records are added to
47
47
48
48
## Why sign a zone with DNSSEC?
49
49
50
-
DNSSEC validation of DNS responses can prevent common types of DNS hijacking attacks, also known as DNS redirection. DNS hijacking occurs when a client device is redirected to a malicious server by using incorrect (spoofed) DNS responses. An example of how DNS hijacking works is shown in the following figure.
50
+
Signing a zone with DNSSEC is required for compliance with some security guidelines, such as SC-20: Secure Name/Address Resolution Service.
51
+
52
+
DNSSEC validation of DNS responses can prevent common types of DNS hijacking attacks, also known as DNS redirection. DNS hijacking occurs when a client device is redirected to a malicious server by using incorrect (spoofed) DNS responses. DNS cache poisoning is a common method used to spoof DNS responses.
53
+
54
+
An example of how DNS hijacking works is shown in the following figure.
51
55
52
56
53
57
@@ -67,6 +71,8 @@ The type of DNS resource record that is spoofed depends on the type of DNS hijac
67
71
68
72
DNSSEC works to prevent DNS hijacking by performing validation on DNS responses. In the DNS hijacking scenario pictured here, the client device can reject non-validated DNS responses if the contoso.com domain is signed with DNSSEC. To reject non-validated DNS responses, the client device must enforce [DNSSEC validation](#dnssec-validation) for contoso.com.
69
73
74
+
DNSSEC also includes Next Secure 3 (NSEC3) to prevent zone enumeration. Zone enumeration, also known as zone walking, is an attack whereby the attacker establishes a list of all names in a zone, including child zones.
75
+
70
76
Before you sign a zone with DNSSEC, be sure to understand [how DNSSEC works](#how-dnssec-works). When you are ready to sign a zone, see [How to sign your Azure Public DNS zone with DNSSEC](dnssec-how-to.md).
71
77
72
78
## DNSSEC validation
@@ -84,7 +90,7 @@ Windows 10 and Windows 11 client devices are [nonvalidating security-aware stub
84
90
### Trust anchors and DNSSEC validation
85
91
86
92
> [!NOTE]
87
-
> DNSSEC validation is not performed by the default Azure-provided resolver. The information in this section is helpful if you are setting up your own recursive DNS servers for DNSSEC validation or troubleshooting validation issues.
93
+
> DNSSEC response validation is not performed by the default Azure-provided resolver. The information in this section is helpful if you are setting up your own recursive DNS servers for DNSSEC validation or troubleshooting validation issues.
88
94
89
95
Trust anchors operate based on the DNS namespace hierarchy. A recursive DNS server can have any number of trust anchors, or no trust anchors. Trust anchors can be added for a single child DNS zone, or any parent zone. If a recursive DNS server has a root (.) trust anchor, then it can perform DNSSEC validation on any DNS zone.
90
96
@@ -113,6 +119,14 @@ Recursive DNS servers (also called resolving or caching DNS servers) maintain a
113
119
- Trust anchors must be manually installed on recursive DNS servers.
114
120
- If a trust anchor for a parent zone is present, a recursive server can validate all child zones in the hierarchical namespace. This includes forwarded queries. To support DNSSEC validation of all DNSSEC-signed DNS zones, you can install a trust anchor for the root (.) zone.
115
121
122
+
## Key rollover
123
+
124
+
The zone signing key (ZSK) in a DNSSEC-signed zone is periodically rolled over (replaced) automatically by Azure. It should not be necessary to replace your key signing key (KSK), but this option is available by contacting Microsoft support. Replacing the KSK requires that you also update your DS record in the parent zone.
125
+
126
+
## Zone signing Algorithm
127
+
128
+
Zones are DNSSEC signed using Elliptic Curve Digital Signature Algorithm (ECDSAP256SHA256).
129
+
116
130
## DNSSEC-related resource records
117
131
118
132
The following table provides a short description of DNSSEC-related records. For more detailed information, see [RFC 4034: Resource Records for the DNS Security Extensions](https://datatracker.ietf.org/doc/html/rfc4034) and [RFC 7344: Automating DNSSEC Delegation Trust Maintenance](https://datatracker.ietf.org/doc/html/rfc7344).
0 commit comments