6

I have a beginner question about DNSSEC. I have much experience with TLS and cryptography-stuff and would like to try out this new technology. I have googled very much about this but I haven't found useful information for me. I think one confusion in information gathering is that "Debian howto DNSSEC setup" can mean "How to USE DNSSEC for resolving" OR "How to secure your domain with DNSSEC". I am searching the second.

I am running a Debian Squeeze server with root privileges which has a domain name ending with ".de" (which is already signed by the root zone). The network interface at this server uses the gateway IP (DNS resolver?) of the datacentre the server is running on.

My domain is hosted at freedns.afraid.org , where I can add DNS RRs for my domain. They are currently NOT capable of adding DNSSEC RRs, but I am bugging them to support this soon. ;-)

My simple question is: How do I setup DNSSEC on Debian? Resp. who have I ask to?

As far as I understand, all I have to do is to run dnssec-keygen on my Debian server and then add the key to my DNS-provider as DNSSEC RR. (And change it every 30 days?)

I have looked at this http://www.isc.org/files/DNSSEC_in_6_minutes.pdf but it looks like you have to be the owner of a ZONE, so I don't think this applies to me. Who needs to sign my domain? My DNS-provider or my zone (DeNIC) or can I do it myself?

Any help is very appreciated!

Wesley
  • 32,320
  • 9
  • 80
  • 116
Daniel Marschall
  • 785
  • 4
  • 8
  • 19
  • You host your DNS at afraid.org, which does not support DNSSEC. So what is your question ? You wish to switch provider, wish to run DNS server of your own or what ? – Sandman4 Feb 26 '12 at 09:48
  • They said they will support it soon. Also I can switch the provider. My question is, to know what to do exactly WHEN it is available (without running an own DNS server). – Daniel Marschall Feb 26 '12 at 09:55
  • I tried to clean up the grammar a bit, but I have no idea what `Resp. who have I ask to?` means. – Wesley Feb 27 '12 at 03:51
  • I meant "Respectively, which person/organisation do I have to ask to?" – Daniel Marschall Feb 27 '12 at 12:08

1 Answers1

8

Background: DNSSEC in reality is couple of security keys and several DNS records that should exist in addition to your normal DNS records. Those reside in two places:

  1. Authoritative DNS server for your domain. This holds the DNSKEY, RRSIG and NSEC/NSEC3 records.
  2. Authoritative DNS server for your parent domain ("com" domain for example.com). This holds DS records.

Private keys themselves can actually be stored anywhere (or even deleted after they used to sign all that have to be signed), but normally they will also reside somewhere on the domain authoritative server.

Now, the answer to your question depends on how your DNS provider will implement DNSSEC support.

In simpliest (for you) scenario, DNS hosting will do all the work (creating KSK and ZSK keys, publishing DNSKEY records, signing and automatically resigning zone file with RRSIG and NSEC/NSEC3 records, and preparing DS key that you will send to your registrar).

(As you see it requires support not only from your DNS hosting but also from your registrar. ICANN maintains list of DNSSEC supporting registrars)

You in this case will only have to copy DS key provided by your DNS hosting and send it to your registrar (hopefully via web interface or by any other means that your registrar supports).

P.S. As you see, the whole process have nothing to do with your computer(s) nor with any OS which you run, be it debian or windows, heaven forbid.

Sandman4
  • 4,045
  • 2
  • 20
  • 27
  • Thank you very much for your answer. Now it is more clear to me. So, I have to wait until the DNS-Provider AND the registrar support this new technology (*sigh*). At the beginning, I was confused because many tutorials on the web actually described what to do if you are running an own DNS server. Now I see that there is actually no setup by your own necessary (except the copy of the DS RR). – Daniel Marschall Feb 26 '12 at 23:14
  • For me DNSSEC wasn't easy to understand at first - all those different RRs and such... still don't feel comfortable with it. – Sandman4 Feb 26 '12 at 23:38
  • @DanielMarschall ICANN maintains list of registrars supporting DNSSEC: http://www.icann.org/en/news/in-focus/dnssec/deployment - you can find one for .de – Sandman4 Jun 24 '12 at 11:55