DNSSEC (Domain Name System Security Extensions) is an extension to DNS to close security holes left in the original implementation of DNS. It’s main purpose is to provide authenticated DNS records from the authoritative name servers of a domain and therfore prevent mand in the middle and cache poisoning attacks.
DNSSEC works by signing DNS zones with public key cryptography. The next page explains more about how this works.
What DNSSEC Provides
- Authenticated DNS Results – DNSSEC ensures that a client can validate that the results it receives from a DNS query are correct.
- Data Integrity – DNSSEC ensures that a DNS response has not been tampered with and the response from the authoritative DNS server is the response provided to the client
- Denial of Existence – DNSEC provides a mechanism to ensure that if no record exists for a query that the client receives that response and is not redirected by a malicious upstream.
Issues and Limitations
- Encryption – Even though DNSSEC uses PKI the queries are sent in plain text. DNSSEC is an authentication method not an encryption method so the cryptography is used soley for that purpose.
- Larger responses – DNSSEC provides larger responses this not only causes additional bandwidth usage but some old firewalls may block DNS responses if they are too large.
- Maintenance – DNSSEC requires that keys have a limited lifetime. Zone Signing Keys should expire every 30 days and Key Signing Keys should expire every 12 months.
- Chain of trust – DNSSEC uses a chain of trust. For your zone to use DNSSEC the zone above yours needs to be. Not all tld’s are currently signed. While .com and .net are many cctld’s aren’t for instance the auDa is yet to signed the .au zone so we can’t implement DNSSEC on our .au domains. A full list of signed zones can be found at at icann
- Register Support – Your register must support DS records. At this stage not to many do but a partial list can be found at icann
- Correct Time – Your recursive DNS servers must now have the correct time to deal with the PKI. If your time is out your recursive servers are going to have issues resolving domains as they won’t be able to validate the records.
We are in the process of moving DNS servers so decided to implement DNSSEC where possible. This series of articles explains what DNSSEC is and walks through setting up authoritative names servers that support DNSSEC using Bind 9 on Centos 6. This howto was really written to cover everyone even if they don’t have a lot of experience with BIND so if you know what you are doing you can probably skip large sections.