DNSSEC Installation and Overview

Posted on October 28th, 2016

DNSSEC stands for Domain Name System Security Extensions. It is a set of protocols or suite of extensions that provide a layer of security to the domain name system (DNS) lookup and exchange processes. Its main function is to provide authenticated DNS records from the authoritative name servers. DNSSEC is the extensions that can authenticate the origin of data sent from a DNS server, verify the integrity of data, and authenticate non-existent DNS data. It does not protect how data is distributed or who can access it. DNSSEC provides data integrity, and authenticated denial of existence. DNSSEC works by signing DNS zones with public key cryptography. With DNSSEC, the DNS protocol is less susceptible to certain types of attacks, particularly DNS spoofing attacks.

 

DNSSEC record types

1) DNSKEY Resource Record: A DNSKEY stores a public key used to sign a record or zone and this is used by a DNS server during the validation process.

Zone Signing Key (ZSK): A Zone key is used to sign the individual records within a zone.

Key Signing Key (KSK): A Key Signing Key is used to create trust and it is used to sign the Zone Signing Key. It also creates a chain of trust with the level above it.

2) RRSIG (resource record digital signature): A RRSIG record contains the signed record. It contains the signature generated by DNSSEC. Each RRSIG record must be matched to another record in the zone for which it provides a digital signature. When a resolver issues a query for a name, one or more RRSIG records are returned in the response.

3) DS (Delegation of Signing) Record: This record is used to secure a delegation. It is stored in the parent zone and is used to verify the results returned when querying the child zone. These records are used to build authentication chains to child zones.

4) NSEC/NSEC3: NSEC records are used when no record exists. NSEC records prevent spoofing attacks that are intended to fool a DNS client into believing that a DNS name does not exist. NSEC3 is a replacement or alternative to NSEC that has the additional benefit of preventing “zone walking” which is the process of repeating NSEC queries in order to retrieve all the names in a zone. NSEC does create a couple of security concerns though and NSEC3 is the replacement to fix the issues.

 

DNSSEC Provides

1) Authenticated DNS Results: DNSSEC ensures that a client can validate that the results it receives from a DNS query are correct.

2) Data Integrity: DNSSEC ensures that a DNS response has not been tampered with and the response from the authoritative DNS server is the response provided to the client

3) Denial of Existence: DNSEC provides a mechanism to ensure that if no record exists for a query that the client receives that response and is not redirected by a malicious upstream.

 

Issues and Limitations

1) Encryption: Even though DNSSEC uses PKI the queries are sent in plain text. DNSSEC is an authentication method, not an encryption method, so the cryptography is used solely for that purpose.

2) Larger responses: DNSSEC provides larger responses, this not only causes additional bandwidth usage, but some old firewalls may block DNS responses if they are too large.

3) Maintenance: DNSSEC requires that keys have a limited lifetime. Zone Signing Keys should expire every 30 days and Key Signing Keys should expire every 12 months.

4) Chain of trust: DNSSEC uses a chain of trust. Root trust anchor can be used to validate any DNSSEC zone that has a complete chain of trust from the root.  The chain of trust must be traced back to a trusted root without interruption in order to validate. Trust anchors must still be configured for secure zones if any of the zones above them are not secure.

3) Register Support: Your register must support DNS records. At this stage not too many do, but a partial list can be found at icann.

4) Correct Time: Your recursive DNS servers must now have the correct time to deal with the PKI. If time has expired, your recursive servers are going to have issues resolving domains as they won’t be able to validate the records.

 

DNSSEC Installation

1) Download the package.

# wget http://www.dnssec-tools.org/download/dnssec-tools-2.0.tar.gz

2) Extract files

 # tar xvzf dnssec-tools-2.0.tar.gz

3) Change the directory.

 # cd dnssec-tools-2.0

4) Open the configuration file.

# vi /etc/named.conf

Locate the options directive and modify the below attributes:

dnssec-enable yes;

dnssec-validation yes;

dnssec-lookaside auto;

5) Restart bind.

# service named restart

 

If you need any further assistance please contact our support department.

 

 

Leave a Reply