DNSSEC Tips
We have covered DNSSEC before. But over the last few month, DNSSEC deployments have increased and yesterday's DNS poisoning diary by Manuel shows that attacks against unsecured zones certainly happen.
I wanted to put together a couple of tips to avoid common errors:
- Patch your DNS server. Make sure you are running a recent version that supports current encryption algorithms. In particular, look for NSEC3 support.
- Review your overall DNS configuration. Clean it up first before implementing DNSSEC.
- Does your registrar have a facility to upload DS records?
- If you are using DNSSEC on a resolver, make sure the root zone's key is kept up to date. Recent versions of BIND support RFC 5011 and can manage key updates for you.
- Remember to regularly re-sign the zones. Signatures are typically valid for a month.
- make sure your DNS server supports EDNS0 (should not be a problem)
- make sure your firewall isn't blocking UDP DNS replies that are larger then 512 Bytes
- pick an algorithm that supports NSEC3 (RSASHA1-NSEC3-SHA1, which is #7, is my preferred one as it appears to be well supported compared to other NSEC3 algorithms)
- Test
- Test
- Test
- only deposit DS records with your parent zone after you completed the prior three steps
Anything I forgot? Please add a comment...
Couple URLs to use as a reference:
http://dnsviz.net/ - Really nice visualization tool.
http://dnssec-debugger.verisignlabs.com/ - thorough test of DNSSEC settings
http://www.dnssec.net - links to standards and tools
https://addons.mozilla.org/en-US/firefox/addon/dnssec-validator/ - Firefox extension to validate DNSSEC
http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml - DNSSEC Algorithm Numbers
http://www.cymru.com/Documents/secure-bind-template.html - secure BIND template. Apply this first.
http://technet.microsoft.com/en-us/library/cc772661%28WS.10%29.aspx - Securing Microsoft DNS
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Steven Chamberlain
Jun 29th 2011
1 decade ago