The cornerstone of the PKI is the private key used to encrypt or digitally sign information.
In DNS, the private part of the key pair is used to sign the zone. Validating resolvers use the public part of the key pair to validate the digital signature created when the zone is signed. The private key is used to digitally sign the records and the resulting digital signature is stored in a RRSIG record. If the private key is compromised, integrity and authenticity of the data can no longer be guaranteed. Private keys must be restricted to authorized personnel only. If a compromise occurs, the DNS infrastructure is at risk of invalidated and bogus data proliferation.
Holders of private/signing DNSSEC keys must protect the computers, storage devices, or whatever they use to keep the private keys. |