Appendix A: DNSSEC Terminology

 

Applies To: Windows Server 2012 R2, Windows Server 2012

The following table displays a list of Domain Name System Security Extensions (DNSSEC)-related terms used in this guide.

Term

Definition

Reference

authenticated data (AD) bit

A data bit that indicates in a response that all data that is included in the answer and authority sections of the response has been authenticated by the DNS server according to the policies of that server.

RFC 4035 [7] Section 3

authentication chain

A chain of signed and validated DNS records that extends from a preconfigured trust anchor to some child zone in the DNS tree.

RFC 4035 [7] Section 5

delegation signer (DS)

A DNSSEC resource record type that is used to secure a delegation.

RFC 4034 [6] Section 5

DNS Extension (EDNS0)

A DNS record that carries extended DNS header information, such as the DO bit and maximum UDP packet size.

RFC 2671 [3]

DNS Security Extensions (DNSSEC)

Extensions to the DNS service that provide mechanisms for signing and for securely resolving DNS data.

RFCs 4033 [5], 4034 [6], and 4035 [7]

DNSKEY

A DNSSEC resource record type that is used to store a public key.

RFC 4034 [6] Section 2

DNSSEC OK (DO) bit

A bit in the EDNS0 portion of a DNS request that signals that the client is DNSSEC-aware.

RFC 4035 [7] Section 3.2.1

double signature

A key rollover method where a future key and signatures that are generated by using it are published in the DNS zone before the existing key and its signatures are deleted. It consequently leaves two sets of keys and associated signatures in the zone at any given time.

RFC 4641

island of security

A signed zone that does not have an authentication chain from its delegating parent zone.

RFC 4033 [5] Section 2

Key Master

The DNS server that is responsible for key generation and management. It acts as the server that the administrator interacts with to set up DNSSEC.

N/A

key signing key (KSK)

An authentication key that corresponds to a private key that is used to sign one or more other signing keys for a given zone. Typically, the private key that corresponds to a KSK signs a zone signing key (ZSK), which in turn has a corresponding private key that signs other zone data. Local policy can require that the ZSK be changed frequently, while the KSK can have a longer validity period in order to provide a more stable, secure entry point into the zone. Designating an authentication key as a KSK is purely an operational issue: DNSSEC validation does not distinguish between KSKs and other DNSSEC authentication keys. It is possible to use a single key as both a KSK and a ZSK.

RFC 4033 section 2

Next Secure (NSEC) resource record

A DNSSEC resource record type that is used to prove nonexistence of a DNS name.

RFC 4034 [6] Section 4

Next Secure 3 (NSEC3)

The NSEC3 resource record that provides hashed, authenticated denial of existence for DNS resource record sets.

RFC 5155 Section 3

non-validating security-aware stub resolver

A security-aware stub resolver that trusts one or more security-aware DNS servers to perform DNSSEC validation on its behalf.

RFC 4033 [5] Section 2

offline zone signing

The process of signing or re-signing a file that contains the DNS data for a zone on a computer that is not an authoritative DNS server for the zone. Ideally, the computer on which zone signing is performed is not connected to a network. The signed zone file that is created by this process can then be transferred to an authoritative DNS server and be loaded.

RFC 4035 [7] Section 2

online zone signing

The process of signing or of incrementally re-signing a zone while it is loaded by the DNS server. Signing or incrementally re-signing requires that private keys are accessible to the DNS server process; therefore, this process is less secure than offline zone signing.

RFC 4035 [7] Section 2

pre-publication

A key rollover method where a key is added for future use and published in the DNS zone without generating any signatures.

RFC 4641

resource record set (RRSet)

A record set where each DNS resource record (RR) has a label, class, type, and data. It is meaningless for two records to ever have label, class, type, and data all equal. Servers should suppress such duplicates if they are encountered. It is, however, possible for most record types to exist with the same label, class, and type, but with different data. Such a group of records is hereby defined to be a resource record set (RRSet).

RFC 2181

resource record signature (RRSIG)

A DNSSEC resource record type that is used to hold a signature, which covers a set of DNS records for a particular name and type.

See RFC 4034 [6] Section 3

secure entry point (SEP) key

A subset of public keys within the DNSKEY RRSet. A SEP key is used either to generate a DS RR or is distributed to resolvers that use the key as a trust anchor.

RFC 3757

security-aware DNS server

A DNS server that implements the DNS security extensions as defined in RFCs 4033 [5], 4034 [6], and 4035 [7]. In particular, a security-aware DNS server is an entity that receives DNS queries, sends DNS responses, supports the EDNS0 [3] message size extension and the DO bit, and supports the DNSSEC record types and message header bits.

RFCs 4033 [5], 4034 [6], and 4035 [7]

security-aware resolver

A resolver that implements the DNS security extensions as defined in RFCs 4033 [5], 4034 [6], and 4035 [7]. In particular, a security-aware resolver is an entity that sends DNS queries, receives DNS responses, supports the EDNS0 [3] message size extension and the DO bit, and supports the DNSSEC resource record types and message header bits.

RFC 4033 [5] Section 2

signed zone

A zone whose records are signed as defined by RFC 4035 [7] Section 2. A signed zone can contain DNSKEY, NSEC, NSEC3, NSEC3PARAM, RRSIG, and DS resource records. These resource records enable DNS data to be validated by resolvers.

RFC 4035 [7] Section 2

signing key descriptor (SKD)

A collection of cryptographic keys and parameters that describe how to generate and maintain signing keys and signatures. An SKD is not the same as a signing key, but all signing keys are associated to an SKD. The unique identifier for an SKD is displayed as a GUID in DNSSEC properties of a signing key in DNS Manager, and this GUID is the value that must be provided for the KeyId parameter in Windows PowerShell in certain cmdlets, for example: Set-DnsServerSigningKey.

DNS_RPC_SKD

trust anchor

A preconfigured public key that is associated with a particular zone. A trust anchor enables a DNS resolver to validate signed DNSSEC resource records for that zone and to build authentication chains to child zones.

RFC 4033 [5] Section 2

unsigned zone

Any DNS zone that has not been signed as defined by RFC 4035 [7] Section 2.

RFC 4035 [7] Section 2

zone signing key (ZSK)

An authentication key that corresponds to a private key that is used to sign a zone. Typically, a zone signing key is part of the same DNSKEY RRSet as the key signing key whose corresponding private key signs this DNSKEY RRSet, but the zone signing key is used for a slightly different purpose and can differ from the key signing key in other ways, such as in validity lifetime. Designating an authentication key as a zone signing key is purely an operational issue; DNSSEC validation does not distinguish between zone signing keys and other DNSSEC authentication keys. It is possible to use a single key as both a key signing key and a zone signing key.

RFC 4033 section 2