Last Updated: 2011-06-28 16:05:31 UTC
by Johannes Ullrich (Version: 1)
We have covered DNSSEC before. But over the last few month, DNSSEC deployments have increased and yesterday's DNS poisoning diary by Manuel shows that attacks against unsecured zones certainly happen.
I wanted to put together a couple of tips to avoid common errors:
- Patch your DNS server. Make sure you are running a recent version that supports current encryption algorithms. In particular, look for NSEC3 support.
- Review your overall DNS configuration. Clean it up first before implementing DNSSEC.
- Does your registrar have a facility to upload DS records?
- If you are using DNSSEC on a resolver, make sure the root zone's key is kept up to date. Recent versions of BIND support RFC 5011 and can manage key updates for you.
- Remember to regularly re-sign the zones. Signatures are typically valid for a month.
- make sure your DNS server supports EDNS0 (should not be a problem)
- make sure your firewall isn't blocking UDP DNS replies that are larger then 512 Bytes
- pick an algorithm that supports NSEC3 (RSASHA1-NSEC3-SHA1, which is #7, is my preferred one as it appears to be well supported compared to other NSEC3 algorithms)
- only deposit DS records with your parent zone after you completed the prior three steps
Anything I forgot? Please add a comment...
Couple URLs to use as a reference:
http://dnsviz.net/ - Really nice visualization tool.
http://dnssec-debugger.verisignlabs.com/ - thorough test of DNSSEC settings
http://www.dnssec.net - links to standards and tools
https://addons.mozilla.org/en-US/firefox/addon/dnssec-validator/ - Firefox extension to validate DNSSEC
http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml - DNSSEC Algorithm Numbers
http://www.cymru.com/Documents/secure-bind-template.html - secure BIND template. Apply this first.
http://technet.microsoft.com/en-us/library/cc772661%28WS.10%29.aspx - Securing Microsoft DNS
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Jun 29th 2011
1 decade ago