DNSSEC
The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.
Overview
DNSSEC Resource Records
A Resource Record (RR) contains a specific information about the domain. Some common ones are A record which contains the IP address of the domain, AAAA record which holds the IPv6 information, and MX record which has mail servers of a domain. A complete list of DNS RRs can be found on wikipedia.
DNSSEC too requires several RRs.
- DNSKEY Holds the public key which resolvers use to verify.
- RRSIG Exists for each RR and contains the digital signature of a record.
- DS - Delegation Signer – this record exists in the TLD's nameservers. So if example.com was your domain name, the TLD is "com" and its nameservers are a.gtld-servers.net., b.gtld-servers.net. up to m.gtld-servers.net.. The purpose of this record is to verify the authenticity of the DNSKEY itself.
Implementing DNSSEC on an Authoritative BIND DNS Server
Installing needed software
First start by installing the needed software on your main DNS Server.
apt install bind9 haveged
Testing Tools
DNS Tests
- DNS Server Configuration Tester - dnscheck.pingdom.com
- DNS Server Speed test - www.ultratools.com
DNSSEC Tests
- DNSSEC Server Tester - dnssec-debugger.verisignlabs.com
- DNSSEC Client Tester - conn.internet.nl
Other Resources
- Digital Ocean - How To Setup DNSSEC on an Authoritative BIND DNS Server