DNSSEC Tips - SANS Internet Storm Center

DNSSEC Tips
We have covered DNSSEC before. But over the last few month, DNSSEC deployments have increased and yesterday's DNS poisoning diary by Manuel shows that attacks against unsecured zones certainly happen. I wanted to put together a couple of tips to avoid common errors: Patch your DNS server. Make sure you are running a recent version that supports current encryption algorithms. In particular, look for NSEC3 support. Review your overall DNS configuration. Clean it up first before implementing DNSSEC. Does your registrar have a facility to upload DS records? If you are using DNSSEC on a resolver, make sure the root zone's key is kept up to date. Recent versions of BIND support RFC 5011 and can manage key updates for you. Remember to regularly re-sign the zones. Signatures are typically valid for a month. make sure your DNS server supports EDNS0 (should not be a problem) make sure your firewall isn't blocking UDP DNS replies that are larger then 512 Bytes pick an algorithm that supports NSEC3 (RSASHA1-NSEC3-SHA1, which is #7, is my preferred one as it appears to be well supported compared to other NSEC3 algorithms) Test Test Test only deposit DS records with your parent zone after you completed the prior three steps Anything I forgot? Please add a comment... Couple URLs to use as a reference: http://dnsviz.net/ - Really nice visualization tool. http://dnssec-debugger.verisignlabs.com/ - thorough test of DNSSEC settings http://www.dnssec.net - links to standards and tools https://addons.mozilla.org/en-US/firefox/addon/dnssec-validator/ - Firefox extension to validate DNSSEC http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml - DNSSEC Algorithm Numbers http://www.cymru.com/Documents/secure-bind-template.html - secure BIND template. Apply this first. http://technet.microsoft.com/en-us/library/cc772661%28WS.10%29.aspx - Securing Microsoft DNS ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022	Johannes 4511 Posts ISC Handler Jun 28th 2011
Thread locked Subscribe	Jun 28th 2011 1 decade ago
Relating to EDNS0, and DNS responses larger than one packet, I once set up Linux IPTables to allow incoming UDP traffic to port 53 thinking that was enough. But IPTables 'port' matches don't match UDP fragments after the first one, so you either need to use stateful matching (-m state --state related,established) or specifically accept trailing fragments (the iptables "-f" option for IPv4, or "-m frag ! --fragid 0" for IPv6).	Anonymous
Quote	Jun 29th 2011 1 decade ago