Hi, great video lessons its easy to follow and understand. I have a question tho how is the ksk generated and if we want to change our zones ksk we need to involve the parent zone and update its ds records?
that's the reason we have KSK and ZSK. The idea is you guard KSKs much more carefully because you do need involvement of the parent zone if they change. So generally its the ZSKs which rotate, and the KSKs which are more static and guarded.
I'm very very new to IT and also new to blockchain tech, but just from my very very basic understanding of the two, it seems like blockchain would streamline this (to me) very complicated process. As a side note... My personal key chain has my car key fob and my apartment key fob. I don't like carrying too many keys in my pocket and DNSSEC has wayyyy too many keys =P haha!
> My personal key chain has my car key fob and my apartment key fob And the same is true for DNSSEC where you only need to worry about a small number of keys. But using your analogy, other people would have their keys to worry about... which you don't need to worry about. That's why DNS is hierarchical .. you only worry about your bit.
So thought id write this out You get a RRSET, need to verify its real? how, check for the RRSIG for it- use the RRSIG to verify the RRSET is real, how? use the ZSK (DNSKEY 256) to check the RRSIG. Need to verify the ZSK is real, how? Check for the ZSK RRSIG, use the ZSK RRSIG to verify its real, how? use the KSK (DNS KEY 257), how to verify the KSK is real? Oh there's a DS record in parent that's a hash.. how to verify that is real - check the RRSIG (Start again) - let me know if it helps
thank you Adrian . You are a blessing for the IT world . I follow you on linkedin , slack . I live in France .
thanks, glad you like it :)
great videos, the best found so far, excellent job. Great EVERYTHING!
Glad you enjoyed it! check out my AWS courses at learn.cantrill.io if you haven't already :)
Great video, thank you for this high quality content
Now I can't imagine explaining chain of trust to someone without referring notes 💀
It is complex, and flow goes here and there
it's funny, once you understand it 100% ... it's like riding a bike, you just 'get it'. I know that seems crazy right now, but DNS is the same way.
I have question, so if i modify/change any DNS record or if i add any new entry, do i need to regenerate the DS?
Hi, great video lessons its easy to follow and understand. I have a question tho how is the ksk generated and if we want to change our zones ksk we need to involve the parent zone and update its ds records?
that's the reason we have KSK and ZSK. The idea is you guard KSKs much more carefully because you do need involvement of the parent zone if they change. So generally its the ZSKs which rotate, and the KSKs which are more static and guarded.
thank you so much, and I have a little question, why should a zone have a its own public ksk in its dnskey rrset?
how else would anything be able to validate the private KSK which is used ?
I just didnt get one thing, does the end user that originate the request has to verify the chain of trust as well?
The end user or their resolver.
Thank you very much
You are welcome
I'm very very new to IT and also new to blockchain tech, but just from my very very basic understanding of the two, it seems like blockchain would streamline this (to me) very complicated process.
As a side note... My personal key chain has my car key fob and my apartment key fob. I don't like carrying too many keys in my pocket and DNSSEC has wayyyy too many keys =P haha!
> My personal key chain has my car key fob and my apartment key fob
And the same is true for DNSSEC where you only need to worry about a small number of keys.
But using your analogy, other people would have their keys to worry about... which you don't need to worry about.
That's why DNS is hierarchical .. you only worry about your bit.
Technically it is a vertical blockchain to some degree. Just look at the Validation Flow slide.
🐐
😸
So thought id write this out
You get a RRSET, need to verify its real? how, check for the RRSIG for it- use the RRSIG to verify the RRSET is real, how? use the ZSK (DNSKEY 256) to check the RRSIG. Need to verify the ZSK is real, how? Check for the ZSK RRSIG, use the ZSK RRSIG to verify its real, how? use the KSK (DNS KEY 257), how to verify the KSK is real? Oh there's a DS record in parent that's a hash.. how to verify that is real - check the RRSIG (Start again) - let me know if it helps
Thanks for responding.