Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: DNSSEC Tips - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

We have covered DNSSEC before. But over the last few month, DNSSEC deployments have increased and yesterday's DNS poisoning diary by Manuel shows that attacks against unsecured zones certainly happen.

I wanted to put together a couple of tips to avoid common errors:

  • Patch your DNS server. Make sure you are running a recent version that supports current encryption algorithms. In particular, look for NSEC3 support.
  • Review your overall DNS configuration. Clean it up first before implementing DNSSEC.
  • Does your registrar have a facility to upload DS records?
  • If you are using DNSSEC on a resolver, make sure the root zone's key is kept up to date. Recent versions of BIND support RFC 5011 and can manage key updates for you.
  • Remember to regularly re-sign the zones. Signatures are typically valid for a month.
  • make sure your DNS server supports EDNS0 (should not be a problem)
  • make sure your firewall isn't blocking UDP DNS replies that are larger then 512 Bytes
  • pick an algorithm that supports NSEC3 (RSASHA1-NSEC3-SHA1, which is #7, is my preferred one as it appears to be well supported compared to other NSEC3 algorithms)
  • Test
  • Test
  • Test
  • only deposit DS records with your parent zone after you completed the prior three steps

Anything I forgot? Please add a comment...

Couple URLs to use as a reference: - Really nice visualization tool. - thorough test of DNSSEC settings - links to standards and tools - Firefox extension to validate DNSSEC - DNSSEC Algorithm Numbers - secure BIND template. Apply this first. - Securing Microsoft DNS

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022


4511 Posts
ISC Handler
Jun 28th 2011
Relating to EDNS0, and DNS responses larger than one packet, I once set up Linux IPTables to allow incoming UDP traffic to port 53 thinking that was enough. But IPTables 'port' matches don't match UDP fragments after the first one, so you either need to use stateful matching (-m state --state related,established) or specifically accept trailing fragments (the iptables "-f" option for IPv4, or "-m frag ! --fragid 0" for IPv6).

Sign Up for Free or Log In to start participating in the conversation!