Jump to content

DNSSEC

From MattWiki
noteThis Page was written with Ubuntu 16.04 LTS in mind, and may not work correctly with other versions or distributions.

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

Overview[edit | edit source]

DNSSEC Resource Records[edit | edit source]

A Resource Record (RR) contains a specific information about the domain. Some common ones are A record which contains the IP address of the domain, AAAA record which holds the IPv6 information, and MX record which has mail servers of a domain. A complete list of DNS RRs can be found on wikipedia.

DNSSEC too requires several RRs.

  • DNSKEY Holds the public key which resolvers use to verify.
  • RRSIG Exists for each RR and contains the digital signature of a record.
  • DS - Delegation Signer – this record exists in the TLD's nameservers. So if example.com was your domain name, the TLD is "com" and its nameservers are a.gtld-servers.net., b.gtld-servers.net. up to m.gtld-servers.net.. The purpose of this record is to verify the authenticity of the DNSKEY itself.

Implementing DNSSEC on an Authoritative BIND DNS Server[edit | edit source]

Installing needed software[edit | edit source]

First start by installing the needed software on your main DNS Server. 

apt install bind9 haveged

Testing Tools[edit | edit source]

DNS Tests[edit | edit source]

DNSSEC Tests[edit | edit source]

Other Resources[edit | edit source]

Retrieved from "https://wiki.mattrude.com/index.php?title=DNSSEC&oldid=17785"