What makes DNSSEC immune to a MITM attack?

Why can't I sign a key for example.com and get this to a resolving nameserver or client before they can get it from the real source?

  • 7,270
  • 3
  • 29
  • 43
Bill Gray
  • 1,295
  • 1
  • 11
  • 18
  • The integrity verification part will probably stop you from getting invalid data to the DNSSEC resolver. – nik Aug 02 '09 at 03:19

2 Answers2


MITM isn't impossible, it just requires a lot more effort. Due to the integrity verification process Keith and Nik pointed out, you'll have to spoof not just the target example.com domain, but also .com and . (once it gets signed). Which means that simple cache-poisoning will no longer work, you have to completely subvert the target's entire resolver stream.

It works like SSL in a lot of ways. The root domain has delegation-signer records that are used to verify that the child domain (.com in this case) resolver is really the correct resolver. This repeats for each child domain until you get to a hostname. The actual verification process works in reverse, in it goes up the tree until it gets to an unsigned level and verifies from there. DNS attackers will have to fake the entire resolver tree up to the signed root (be that .com or .) in order to succeed. This is why getting DNS-root signed is such a big deal.

A lot of how DNSSEC improves security is by making it a lot harder to feed bad data into resolver caches and improve resistance to playing games with the DNS transaction process between clients and legitimate resolvers. A fully compromised DNS server will still return bad data even if it is using DNSSEC, and an in-line proxy rewriting DNS requests on the wire would have to fake every single DNS request not just the intended ones, but that's a harder problem to solve in general; as well as harder to get into place in the first place.

  • 131,083
  • 18
  • 173
  • 296
  • So if you control the recursive server for a non-recursive client (and many clients aren't) then you can spoof? I guess you need to trust the server you rely on for your recursive look ups. – David Pashley Aug 02 '09 at 07:58
  • @david That's about right. Though it looks like Windows 7 will have DNSSEC stuff in it, so even that'll take some jiggery pokery to make work (for Windows anyway). – sysadmin1138 Aug 02 '09 at 16:18
  • 1
    to clarify, MITM is _almost_ impossible, and certainly impractical with current computers and cracking algorithms. Strictly speaking DNSSEC is "end-to-end" only if the client end does its own validation. – Alnitak Aug 02 '09 at 19:54
  • why is it harder to fake the whole tree though? – Bill Gray Aug 02 '09 at 23:34
  • Just came across the question, and this answer is quite misleading. **MITM is not possible with DNSSEC** because DNSEEC-enabled recursive resolvers already have pre-shared trust anchor for root zone. All the rest descends from root and is signed-by-key-which-in-turn-signed-by-key-which-in-turn-signed-by-key-which-signed-by-ROOT, thus attacker can't inject any untrusted data. The only practical ways to circumvent DNSSEC is to compromise DNS servers or stole private keys. (Breaking RSA keys doesn't count as practical). – Sandman4 May 24 '12 at 15:23

This article explains it a bit. A quick snippit: What is DNSSEC?

  • DNSSEC is a proposed Internet standard that modifies DNS resource records and protocols to provide security for query and response transactions made between domain name resolvers and nameservers. Specifically, the security DNSSEC provides includes:

  • Integrity verification: a DNS resolver can determine that information received from a nameserver has not been tampered with in transit Source authentication: a DNS resolver can determine that the information received originated from an authoritative nameserver

  • Authenticated denial of existence: a DNS resolver can verify that a particular query is unresolvable because no DNS record actually exists on the authoritative nameserver

  • 2,419
  • 1
  • 22
  • 18
  • I've read up on it, but still don't see why a MITM attack is not possible. – Bill Gray Aug 02 '09 at 04:11
  • Nothing is impossible, but (despite your previous assertions) cracking 1024 bit+ RSA keys is very, very, very difficult. That's what it takes to perform a MITM attack. – Alnitak Aug 02 '09 at 21:41
  • Cracking 1024 bit keys has been shown not to be that hard. It is probably partly why the keys have a 30 day lifetime. My question is, why do you even have to crack the keys? Why can't I just pass fake keys for all keys? – Bill Gray Aug 03 '09 at 06:36
  • because the signature for each key is stored in the parent zone (DS record). And the root zone's key is downloaded offline (out of band) and pre-configured in your DNS server. – Alnitak Aug 03 '09 at 10:49
  • What if I make fake keys and signatures to a client who has not yet received any, how will they know they are fake? If I can control everything going to the client, can't I still screw with everything? – Bill Gray Aug 04 '09 at 02:02
  • 3
    DNSSEC relies on bootstrapping an initial trust-anchor (ideally that for the root when it's signed later this year). That's the only weak point at which a fake key might be believed, hence why the distribution systems for that rely on out-of-band mechanisms and PGP, etc. – Alnitak Aug 04 '09 at 16:34
  • So this initial trust anchor, say the root certs, will have to be provided to all clients? Will it then become an attack to replace this initial trust anchor and redirect dns queries? – Bill Gray Aug 06 '09 at 13:18
  • Only clients that do validation themselves need the cert. You don't need them if you trust your upstream DNS server (e.g. at your ISP) to validate for you. As an attack vector, no it's no more so, than, for example, replacing the CA certs installed in your browsers (which AFAIK has never been attempted). In any event, the attacker would have to replace _every_ cert in the chain, so to spoof www.example.com they'd have to spoof three separate certs. – Alnitak Aug 10 '09 at 13:22
  • @Alnitak: `replacing the CA certs installed in your browser` it has just been half a decade from that comment and we get Superfish. – Lie Ryan Jun 12 '15 at 13:32