10

I have been assigned the task of improving security of a specific service. After some analysis of the requirements we have come to the conclusion, that a certain aspect of the specified requirements can only be met through the use of DNSSEC.

I have a decent amount of experience with information security and cryptography, and I believe I understand the general principles in DNSSEC. However I have no hands on experience.

Usually such new technologies first get deployed to a subdomain of our primary domain name. But that approach doesn't seem to be possible with DNSSEC, since a proper deployment involves signing all the way from the root servers to the subdomain. Our domains currently have no DNSSEC and the hosting provider doesn't support DNSSEC.

Buying an experimental domain through a separate hosting provider might be an option, but due to lack of hands on experience with DNSSEC I have no clue what to look for in such a hosting provider.

I have also considered using one of the numerous services where one can acquire a free subdomain with dynamic DNS. However none of the providers I have looked at so far supports DNSSEC.

What would be a sensible next step to take in order to get the hands on experience I need?

user67689
  • 101
  • 4
  • IMHO - Look for a DNS Server that has NSEC3 support... If you find one let me know. I may be migrating away from dyn.com because of this. – makerofthings7 Apr 10 '15 at 01:48
  • @LamonteCristo why NSEC3 support? Can you explain? – schroeder Apr 10 '15 at 05:32
  • 1
    @schroeder I should have put this in my comment, NSEC3 is an enhancement that prevents the enumeration of a DNSSEC zone, the way that the default NSEC does. You can enumerate all my DNS records if you enable "confirm non exist domains" at Verisign or some of the other online scanners. Experiment with getvalid.com if you want. – makerofthings7 Apr 10 '15 at 11:57

1 Answers1

4

I recently added dnssec to a few domains, and here are a few random notes and tips from that experience:

First of all, make sure your domain registrar support DNSSEC. Some do, others (e.g. namecheap) don't. If your registrar don't support dnssec (i.e. don't have a method for adding DS records for your domain at the parent level) you need to switch registrar first.

Depending on which dns server you use, signing the domain can be an almost automated trivial task, or a fairly complex manual thing. My primary dns is Windows DNS, where you can just right-click on a zone, select DNSSEC/sign..., and a wizard takes you through the process.

Set up a test domain and go through the entire process on that one before doing on a real prod domain. If something goes wrong, you can bring your domain offline for users that use DNSSEC validating resolvers (e.g. Google DNS), so testing on an unused domain first is a very good idea.

GetDS is a neat tool on linux that can help you along the way to troubleshoot and validate your setup.

Another useful tool that will help with validating your config is this site: http://dnscheck.iis.se/

KristoferA
  • 347
  • 3
  • 11