The whole fabric of the Internet is based on trust. When you type in a domain name like Facebook.com, your computer or phone magically gets you to the right web site. If you use an app, the same thing happens behind the scenes. In the case of Facebook, your computer is able to find the address of their server as 157.240.17.35 (or 2a03:2880:f113:83:face:b00c::25de). That address is subject to change and it is something that anyone can look up. Facebook operates many data centers do you may actually get a different response depending upon where you are in the world. Once it has the IP address, it knows how to make a connection. The problem is, how do we know that someone is not eavesdropping on that conversation. The answer to that question has two parts. First we need to make sure that the conversation is private and second we need to make sure we are actually talking to Facebook.
To ensure that the conversation is private we use TLS encryption. Most major web sites support this and it is becoming more common. There are different levels of TLS but at its most basic, it provides an opaque tunnel through which you have have a conversation and not worry about someone else seeing your conversation. This includes your ISP or a bad guy at Starbucks.
To ensure that the IP address lookup is coming from a trusted source, we need DNSSEC. DNSSEC stands for Secure DNS. It uses a simple mathematical calculation to verify information publicly available on the Internet. With this information, a chain of security is built.
Let’s look at that chain from the computer’s point of view using facebook.com as the example. Your computer has in its setup the IP addresses of one or more DNS servers that have the sole responsibility to take care of these lookups. The DNS server take that request and checks to see if it already knows the answer. If it does, it responds with the answer and it’s done. If it does not know the answer then it starts walking through the domain name. It looks at the domain in reverse order and pretends that it ends with a period. That implied dot is the root of the Internet. There are actually 13 root name servers that serve the entire Internet. From these root name servers we can get the name server for the Top Level Domain (TLD) of the queried domain. In this case we are talking about .com. Then we go to those name servers and ask for the name servers for the second level domain. In this case we get the name servers that Facebook has designated as trusted, namely a.ns.facebook.com and b.ns.facebook.com. You can do this yourself using the whois command line program.
$ whois facebook.com | grep 'Name Server'
You can also use a program called nslookup to lookup the responses from these server. We use the “set type=NS” command to tell the program that we want to get back the name servers for this domain.
$ nslookup
> set type=NS
> facebook.com
Server: 127.0.0.54
Address: 127.0.0.54#53
Non-authoritative answer:
facebook.com nameserver = a.ns.facebook.com.
facebook.com nameserver = b.ns.facebook.com.
Finally you can us a program called dig to look up the dnssec information.
$ dig @a.ns.facebook.com. facebook.com +dnssec +multi
; <<>> DiG 9.9.7-P3 <<>> @a.ns.facebook.com. facebook.com +dnssec +multi
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57064
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;facebook.com. IN A
;; ANSWER SECTION:
facebook.com. 300 IN A 31.13.76.68
;; AUTHORITY SECTION:
facebook.com. 172800 IN NS a.ns.facebook.com.
facebook.com. 172800 IN NS b.ns.facebook.com.
;; ADDITIONAL SECTION:
a.ns.facebook.com. 172800 IN AAAA 2a03:2880:fffe:c:face:b00c::35
a.ns.facebook.com. 172800 IN A 69.171.239.12
b.ns.facebook.com. 172800 IN AAAA 2a03:2880:ffff:c:face:b00c::35
b.ns.facebook.com. 172800 IN A 69.171.255.12
;; Query time: 28 msec
;; SERVER: 2a03:2880:fffe:c:face:b00c::35#53(2a03:2880:fffe:c:face:b00c::35)
;; WHEN: Mon Sep 04 14:09:45 CDT 2017
;; MSG SIZE rcvd: 180
In the end the easiest way to verify that your domain is protected using DNSSEC is to use a third party verification service. One such service is DNSViz.
http://dnsviz.net/d/xevio.us/dnssec/
DNSViz displays a visual representation of this chain of trust going back to the root servers. On their site you can mouse over each link in the chain to see the calculated and verified status.