DNSSEC, short for DNS security, provides a security extension to the all important DNS system. A nice intro can be found on wikipedia. This is a part of a series on DNSSEC:

  1. The RRSIG record
  2. The NSEC and NSEC3 record
  3. The DNSKEY and DS record
  4. Implementation

The RRSIG record is the basic building block of DNSSEC. It accompanies every Resource Record Set (RRset) and provides a digital signature over the provided data. This record is only supplied if the client indicates that it understands DNSSEC. A client does so by setting the DO (DNSSEC OK) flag (part of EDNS). If the server adds this record, it can be used to prove that the received data is authentic and hasn’t been tampered with (or prove the opposite). If, on the other hand, the response doesn’t contain RRSIG records, there are two possibilities. Probably the zone just doesn’t use DNSSEC, but it’s also possible that the response has been tampered with and had its RRSIG removed. Unless you have some prior knowledge, it’s impossible to know which case you’re in. This should be solved once the root-zone becomes signed in July 2010.

The record data

ripe.net.        165001 IN A 193.0.6.139
ripe.net.        165001 IN RRSIG    A 5 2 172800 20100203123710 (
                         20100104123710 53562 ripe.net.
                         f9f11o1gl54uVZKlEGYm7hX9HZR5Hh4gYaWi9EuImPx7
                         pBD0OGluG48vMmXDIoPmu0iWi6Y9yhqKm3SsPKHUuOHB
                         +YFD+5ACXh6X8eqNzYo3vw/mik2bRNFB1nyE4gATAgaw
                         hJZy8o2BB/QgX7QE3V0hxN1Qvdy6roldSEcAJq7HsJmz
                         aR2T7F6GLaon6qOH9tLpNWAD )

This is a summary of RFC 4034, chapter 3.

  1. The type covered field: Which type of data is covered by this signature. In this case, the preceding A-record.
  2. The algorithm field: Indicates the algorithm used to calculate the signature. In this case 5 (RSA/SHA1).
  3. The labels field: Indicates how many labels the original ownername has. In this case 2 (i.e. ripe.net). This field serves to indicate if the RRSIG is synthesized from a wildcard record.
  4. The original TTL field: The TTL of the record on the authoritative name server. In this case 172800 seconds.
  5. Signature expiration and inception: Indicated from when till when this signature is valid. In this case from the 4th of January 2010 till roughly a month later.
  6. The key tag field: The key-id of the key used to produce this signature.
  7. The signer’s name field: The ownername of the DNSKEY record that contains the key used to produce this signature.
  8. The signature field: The signature itself. It secures: the records identified by its name and “type covered” field, as well as all previous fields of the RRSIG record itself.