DNSSEC Guide
Next

DNSSEC Guide

Copyright © 2014, 2015, 2016, 2017 Internet Systems Consortium, Inc.

Abstract

The Domain Name System Security Extensions (DNSSEC) extends standard DNS to provide a measure of security; it proves that the data comes from the official source and has not been modified in transit.

This guide introduces the DNSSEC standards and shares several examples of implementing, maintaining, and troubleshooting DNSSEC.

Table of Contents

Preface
Organization
Acknowledgement
License
1. Introduction
Who Should Read this Guide?
Who May Not Want to Read this Guide?
What is DNSSEC?
What does DNSSEC Add to DNS?
How Does DNSSEC Change DNS Lookup?
Chain of Trust
Why is DNSSEC Important? (Why Should I Care?)
How does DNSSEC Change My Job as a DNS Administrator?
2. Getting Started
Software Requirement
BIND Version
DNSSEC Support in BIND
System Entropy
Hardware Requirement
Recursive Server Hardware
Authoritative Server Hardware
Network Requirements
Operational Requirements
Parent Zone
Security Requirements
3. Validation
Easy Start Guide for Recursive Servers
How To Test Recursive Server (So You Think You Are Validating)
Using Web-based Tools to Verify
Using dig to Verify
Using delv to Verify
Verifying Protection from Bad Domain Names
How Do I know I Have a Validation Problem?
Validation Easy Start Explained
dnssec-validation
How Does DNSSEC Change DNS Lookup (Revisited)?
How are Answers Verified?
Trust Anchors
How Trust Anchors are Used
Trusted Keys and Managed Keys
What's EDNS All About (And Why Should I Care)?
EDNS Overview
EDNS on DNS Servers
Support for Large Packets on Network Equipment
Wait... DNS Uses TCP?
4. Signing
Easy Start Guide for Signing Authoritative Zones
Generate Keys
Reconfigure BIND
Verification
Upload to Parent Zone
So... What Now?
Your Zone, Before and After DNSSEC
How To Test Authoritative Zones (So You Think You Are Signed)
Look for Key Data in Your Zone
Look for Signatures in Your Zone
Examine the Zone File
Check the Parent
External Testing Tools
Signing Easy Start Explained
Generate Keys Explained
Reconfigure BIND Explained
Working with Parent Zone
DS Record Format
DNSKEY Format
Trusted Key Format
Using NSEC3
Maintenance Tasks
ZSK Rollover
KSK Rollover
5. Basic Troubleshooting
Query Path
Visible Symptoms
Logging
BIND DNSSEC Debug Logging
Common Problems
Security Lameness
Incorrect Time
Invalid Trust Anchors
Unable to Load Keys
Negative Trust Anchors
NSEC3 Troubleshooting
Troubleshooting Example
6. Advanced Discussions
Key Generation
Can I Use the Same Key Pair for Multiple Zones?
Do I Need Separate ZSK and KSK?
Which Algorithm?
Key Sizes
Proof of Non-Existence (NSEC and NSEC3)
NSEC
NSEC3
NSEC or NSEC3?
Key Storage
Public Key Storage
Private Key Storage
Hardware Security Modules (HSM)
Key Management
Key Rollovers
Key Management and Metadata
How Long Do I Wait Before Deleting Old Data?
Emergency Key Rollovers
DNSKEY Algorithm Rollovers
Other Topics
DNSSEC and Dynamic Updates
DNSSEC and Inline Signing
DNSSEC Look-aside Validation (DLV)
DNSSEC on Private Networks
Introduction to DANE
Disadvantages of DNSSEC
7. Recipes
Inline Signing Recipes
Master Server Inline Signing Recipe
"Bump in the Wire" Inline Signing Recipe
Rollover Recipes
ZSK Rollover Recipe
KSK Rollover Recipe
NSEC and NSEC3 Recipes
Migrating from NSEC to NSEC3
Migrating from NSEC3 to NSEC
Changing NSEC3 Salt Recipe
NSEC3 Optout Recipe
Reverting to Unsigned Recipe
Self-signed Certificate Recipe
8. Commonly Asked Questions

List of Figures

1.1. DNSSEC Validation 12 Steps
3.1. Signature Generation
3.2. Signature Verification
3.3. DNSSEC Validation with .gov Trust Anchor
4.1. Verisign DNSSEC Debugger
4.2. DNSViz
5.1. Query Path
7.1. Inline Signing Recipe #1
7.2. Inline Signing Scenario #2
7.3. Upload DS Record Step #1
7.4. Upload DS Record Step #2
7.5. Upload DS Record Step #3
7.6. Upload DS Record Step #4
7.7. Upload DS Record Step #5
7.8. Upload DS Record Step #6
7.9. Remove DS Record Step #1
7.10. Remove DS Record Step #2
7.11. Remove DS Record Step #3
7.12. Revert to Unsigned Step #1
7.13. Revert to Unsigned Step #2
7.14. Revert to Unsigned Step #3
7.15. Revert to Unsigned Step #4
7.16. Browser Certificate Warning
7.17. DNSSEC TLSA Validator

List of Tables

4.1. ZSK KSK Comparison
6.1. Key Metadata Comparison
Next
Preface