[NOT-76] Weeknotes individual update: November 6, 2023

[dtbuchholz]

Exploring DNS Chain of Trust Verification

by Andrew Hill

The objective was to understand the intricacies of the DNS chain of trust, starting from a specific TXT record on a domain to the root zone. The process involved collecting necessary data and understanding the verification steps. The code is documented here.

Problem: The challenge was to accumulate all required data, and then ensure every element in the chain of trust was verified accurately and that independent of the data provided, if it resolved to a known root, a recipient could believe it was true.

Discoveries:

1. Accumulating data was straightforward but required meticulous attention to each DNS record and corresponding signatures.
2. Verification steps were logical but needed precise execution, especially when verifying signatures.

Challenges:

1. Ensuring accurate verification required understanding DNSSEC specifications.
2. Verifying the final parent's DS record signature and ensuring it was signed by the root was a tough nut to crack, which required a thorough understanding of the DNSSEC validation process."

Final Outcome:

• The code used for this experiment is available on this gist, feel free to run it yourself.
• We discovered that a simple chain of trust was fairly compact, as reflected in the JSON output of our chain data, making it easily storable and transferable.
• We attempted writing the code in various languages but found Python to have good tooling, making it fast.
• One crucial piece of information missing from our data payload was the timestamp of collection, which is necessary for future verification purposes.

_{From SyncLinear.com | NOT-76}