Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNSSEC #26

Closed
ThomasWaldmann opened this issue Oct 22, 2013 · 6 comments
Closed

DNSSEC #26

ThomasWaldmann opened this issue Oct 22, 2013 · 6 comments
Assignees
@ThomasWaldmann
Labels
enhancement security
Milestone
0.12 release

Comments

@ThomasWaldmann
Copy link
Member

document usage with DNSSEC, add a configuration example, useful links, ...
@jluebbe
Copy link
Contributor

jluebbe commented Dec 7, 2013

DNSSEC simply works when configured on the DNS server. Support in nsupdate shouldn't be needed.

@ThomasWaldmann
Copy link
Member Author

maybe we would want to add some configuration example?

(and sometimes I also confuse the nsupdate.info software todo and the nsupdate.info site / dns todo)

what also was a bit unclear to me while reading DNSSEC docs: they keys seem to have a limited validity, so does this need regular intervention by the admin to install new keys?

@jluebbe
Copy link
Contributor

jluebbe commented Dec 8, 2013

Runing DNSSEC with using a recent BIND is not that complicated. The only critical thing is that your domain provider is willing to add the DS records to the top level domain.

For my zone I have the following config for DNSSEC with nsupdate:

zone "stratum0.net" {
        auto-dnssec maintain;
        type master;
        update-policy {
                  ....
        };
        file "/etc/bind/stratum0.net/stratum0.net";
        key-directory "/etc/bind/stratum0.net";
};

Only auto-dnssec maintain and key-directory "/etc/bind/stratum0.net" are relevant to DNSSEC. With this setup, you only need to use dnssec-keygen to generate the KSK and ZSK. Finally you generate the DS records with dnssec-dsfromkey -f and pass those to your domain provider. There is a short guide at http://fanf.livejournal.com/112476.html.

If your domain provider doesn't support DNSSEC, you can use DLV (DNSSEC Look-aside Validation). It's an alternative entry point and also very useful for initial testing.

Also very useful for debugging is http://dnsviz.net/d/stratum0.net/dnssec/, which shows you a graph of all keys and their relationships. The gray DNSKEYs are KSKs and the while ones are ZSKs. To keep DNS messages smaller, DNSSEC uses shorter keys and so they must be rotated regularly. The longer (2048 bit) KSKs have a lifetime on the order of years and the shorter (1024 bit) ZSKs on the order of months. Note that they do not expire after this time, it's just strongly recommended to perform a rollover after that time.

With auto-dnssec maintain, you just have to generate new keys. The metadata in the key files allows BIND to handle the rollover automatically. For KSK changes, you'd need to notify your domain provider again.

This setup has been running without problems for since two months on stratum0.net (which provides DYNDNS for our hackerspace).

@ThomasWaldmann
Copy link
Member Author

see also #105

@ThomasWaldmann
Copy link
Member Author

http://securityblog.switch.ch/2014/11/13/dnssec-signing-your-domain-with-bind-inline-signing/

@ThomasWaldmann
Copy link
Member Author

also interesting: how does dnssec signing impact zone update performance?

@ThomasWaldmann ThomasWaldmann self-assigned this Dec 28, 2015
ThomasWaldmann added a commit that referenced this issue Dec 28, 2015
@ThomasWaldmann
Merge pull request #238 from nsupdate-info/dnssec-docs
a219573 
docs: add some info about DNSSEC, fixes #26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ThomasWaldmann ThomasWaldmann

Labels
enhancement security
Projects
None yet
Milestone
0.12 release
Development

No branches or pull requests
2 participants
@ThomasWaldmann @jluebbe