DNSSEC - Its Too Hard Is No Longer An Excuse
I am often asked why is DNSSEC such a PITA to implement, well, if you asked me this question ten years ago, I'd agree, maybe even five years ago, as then it was better, but still convoluted, so I get why many still are hesitant to use it, it's DNS, and nobody wants to mess up DNS, but Bind, since version 9.16 makes it very easy, it's even at the set and forget stage, so enabling DNSSEC in 2023 is child's play.
I guess the next thing I get asked is, why bother? To which I reply, would you be happy if your bank or the ATO used no anti spoofing capabilities? When that capability (DNSSEC) has been around for over twenty years? Of course not, you'd expect them to be as secure as possible so you know it's really them you're giving your personal and sensitive information to and transacting with, rather than just hope their DNS hasn't been hijacked and doesn't point you to websites of criminal enterprises running fake sites in Russia.
With your own domain you might not be running a bank, it might be just a small home business selling knitted kids beanies for winter, an online market place, you might be an accountant, a real estate agency, or even a tradie, any website that takes payments or collects personal information is a potential target to be used by bad actors, from impersonating your online shop stealing your customers money, to gathering enough information to commit identity theft, which we all know can ruin peoples lives.
DNS hijacking has occurred in the past and will again, it's probably happening right now, thinking "nobody will care about little 'ol me I don't run a bank" is a dangerous attitude, since it happens to everyday people like you, by miscreants, and for News outlets and bloggers, even by certain Eastern Block governments who want to stop your content reaching their citizens (try visiting China and searching for Tienanmen Square massacre), it's part of why DNSSEC was born, to help stop those hijackings, readers will get DNS lookup errors instead of being taken to the fake sites, sure visitors wont see your site, but they also wont see the criminal organisations sites or Eastern Block government's propaganda either.
It's especially important if your domains website involves your livelihood, you want to ensure that your DNS is secure and directs to your Website, your Email server, not hijacked and sending people to some Russian crime syndicates fake website waiting to bleed them dry or infect them with malware.
DNSSEC is Domain Name System Security Extensions, this is a specification by the Internet Engineering Task Force for securing DNS data exchanges, it provides two important functions, the first is DNS data origin authentication, this allows a DNS resolver to cryptographically verify that the data it received, actually came from the zone where the data originated, and secondly data integrity protection allows the resolver to know that the data hasn't been modified in transit since it was originally signed.
Now I'll show you how easy it is to enable DNSSEC on your zone, if you have about 5 minutes.
I only have experience (just over thirty years worth) with Bind (strangely named - named, probably because bind is part of the nix environment for binding to sockets, who knows), I've not used the more recent newcomers like Powerdns or Unbound, and certainly not Microsoft DNS
and I never felt happy with djbdns when I looked at it all those blue moons ago), and well... as they say - stick to what you know best, so the below quick how-to only applies to bind but you should be able to easily adapt this to non-Bind DNS servers.
The first step is to satisfy prerequisites, first ensure your Domain Registrar supports DNSSEC, this is by DS records (if they don't support DNSSEC in 2023, I suggest grabbing your domain(s) and running away - fast), you should navigate through the DNS options and Help sections to locate where and how they want you to enter DS records (for namecheap, see below).
Secondly, you need to be running a minimum of bind version 9.16 (you should be running the latest updates, this goes without saying for most, but for some ... it needs saying) on both your primary and slave DNS servers. Earlier Bind versions of course support DNSSEC, but not using these options, and requires you to generate your own keys, Bind's DNSSEC has been streamlined to be so simple a child can do it, and you should be using Bind 9.16 anyway, no earlier versions remain supported, and "my distro's latest version is older" doesn't cut it, use the damn source 
This is turning into War and Peace, so lets get on with it...
First, to avoid named (the bind executable... confused yet?) complaining after we reload the configuration file, we need to make the keys directory and change its ownership
On our primary name server, we need to edit named.conf, I'm going to be using example.net and bind is running as the user and group named, and uses the /var/named directory for zone files - these are typical settings for most distros anyway.
Also note that you do not need to do anything on your slave servers, they need no modifications, they just accept and automagically use DNSSEC.
First thing is to add the keys directory in global options block
Next we edit or create the zone statement for example.net
Now we reload named to use the modified configuration
Your primary name server is now running DNSSEC and the zone is signed, yes, bind has already created keys and signed your zone - painless eh?
But we are not quite done just yet, now we have to retrieve and enter the DS details at our domain registrar, so whilst you have your console open, get the DS information by running the following command (editing for your DNS server and domain name of course) and note the spaces around the dash before the last example.net
example.net. IN DS 35780 13 2 8C405B40775465657656212C
This gives us all of the DS information we need to complete the process at the registrar
TAG (35780),
algorithm number (13),
digest type (2 - sha256),
digest (8C405B40775465657656212C)
No two registrars are the same, I've used several registrars over the decades but for the past several years I've used namecheap, if you use them, the procedure is as follows...
Login, click on Domain List, click Manage on the domain we are adding DNSSEC DS records to, select Advanced DNS, click Add New, and complete the fields with the info from above, double check, then click on Save All Changes ... that's it - you're done!
You have now successfully completed adding DNSSEC trust on your domains DNS, I suggest waiting half an hour or so, then verify it by using these three sites -
https://dnsviz.net/
https://dnssec-debugger.verisignlabs.com/
https://www.zonecheck.org/zonemaster/
Bind will automatically take care of all your re-signings, like I said earlier, its pretty much set and forget.
Now you can move onto properly securing your Email with SPF, DKIM, and DMARC
With your own domain you might not be running a bank, it might be just a small home business selling knitted kids beanies for winter, an online market place, you might be an accountant, a real estate agency, or even a tradie, any website that takes payments or collects personal information is a potential target to be used by bad actors, from impersonating your online shop stealing your customers money, to gathering enough information to commit identity theft, which we all know can ruin peoples lives.
DNS hijacking has occurred in the past and will again, it's probably happening right now, thinking "nobody will care about little 'ol me I don't run a bank" is a dangerous attitude, since it happens to everyday people like you, by miscreants, and for News outlets and bloggers, even by certain Eastern Block governments who want to stop your content reaching their citizens (try visiting China and searching for Tienanmen Square massacre), it's part of why DNSSEC was born, to help stop those hijackings, readers will get DNS lookup errors instead of being taken to the fake sites, sure visitors wont see your site, but they also wont see the criminal organisations sites or Eastern Block government's propaganda either.
It's especially important if your domains website involves your livelihood, you want to ensure that your DNS is secure and directs to your Website, your Email server, not hijacked and sending people to some Russian crime syndicates fake website waiting to bleed them dry or infect them with malware.
DNSSEC is Domain Name System Security Extensions, this is a specification by the Internet Engineering Task Force for securing DNS data exchanges, it provides two important functions, the first is DNS data origin authentication, this allows a DNS resolver to cryptographically verify that the data it received, actually came from the zone where the data originated, and secondly data integrity protection allows the resolver to know that the data hasn't been modified in transit since it was originally signed.
Now I'll show you how easy it is to enable DNSSEC on your zone, if you have about 5 minutes.
I only have experience (just over thirty years worth) with Bind (strangely named - named, probably because bind is part of the nix environment for binding to sockets, who knows), I've not used the more recent newcomers like Powerdns or Unbound, and certainly not Microsoft DNS
and I never felt happy with djbdns when I looked at it all those blue moons ago), and well... as they say - stick to what you know best, so the below quick how-to only applies to bind but you should be able to easily adapt this to non-Bind DNS servers.The first step is to satisfy prerequisites, first ensure your Domain Registrar supports DNSSEC, this is by DS records (if they don't support DNSSEC in 2023, I suggest grabbing your domain(s) and running away - fast), you should navigate through the DNS options and Help sections to locate where and how they want you to enter DS records (for namecheap, see below).
Secondly, you need to be running a minimum of bind version 9.16 (you should be running the latest updates, this goes without saying for most, but for some ... it needs saying) on both your primary and slave DNS servers. Earlier Bind versions of course support DNSSEC, but not using these options, and requires you to generate your own keys, Bind's DNSSEC has been streamlined to be so simple a child can do it, and you should be using Bind 9.16 anyway, no earlier versions remain supported, and "my distro's latest version is older" doesn't cut it, use the damn source This is turning into War and Peace, so lets get on with it...
First, to avoid named (the bind executable... confused yet?) complaining after we reload the configuration file, we need to make the keys directory and change its ownership
mkdir /var/named/keys
chown named.named /var/named/keys
On our primary name server, we need to edit named.conf, I'm going to be using example.net and bind is running as the user and group named, and uses the /var/named directory for zone files - these are typical settings for most distros anyway.
Also note that you do not need to do anything on your slave servers, they need no modifications, they just accept and automagically use DNSSEC.
First thing is to add the keys directory in global options block
options {
version "proudly systemd free";
directory "/var/named";
key-directory "/var/named/keys";
managed-keys-directory "/var/named/keys";
....(other options)...
}
Next we edit or create the zone statement for example.net
zone "example.net" {
type master;
allow-transfer { slavedns; };
file "example.net";
allow-query { any; };
allow-update { none; };
dnssec-policy default;
inline-signing yes;
};
Now we reload named to use the modified configuration
rndc reconfig
Your primary name server is now running DNSSEC and the zone is signed, yes, bind has already created keys and signed your zone - painless eh?
But we are not quite done just yet, now we have to retrieve and enter the DS details at our domain registrar, so whilst you have your console open, get the DS information by running the following command (editing for your DNS server and domain name of course) and note the spaces around the dash before the last example.net
dig @ns1.yournameserver dnskey example.net | dnssec-dsfromkey -f - example.netThis will print out something like
example.net. IN DS 35780 13 2 8C405B40775465657656212C
This gives us all of the DS information we need to complete the process at the registrarTAG (35780),
algorithm number (13),
digest type (2 - sha256),
digest (8C405B40775465657656212C)
No two registrars are the same, I've used several registrars over the decades but for the past several years I've used namecheap, if you use them, the procedure is as follows...
Login, click on Domain List, click Manage on the domain we are adding DNSSEC DS records to, select Advanced DNS, click Add New, and complete the fields with the info from above, double check, then click on Save All Changes ... that's it - you're done!
You have now successfully completed adding DNSSEC trust on your domains DNS, I suggest waiting half an hour or so, then verify it by using these three sites -
https://dnsviz.net/
https://dnssec-debugger.verisignlabs.com/
https://www.zonecheck.org/zonemaster/
Bind will automatically take care of all your re-signings, like I said earlier, its pretty much set and forget.
Now you can move onto properly securing your Email with SPF, DKIM, and DMARC
Related Articles
Trackbacks
No Trackbacks
Comments
Display comments as Linear | Threaded
Andrew Lee on :
Davey on :
Simmo on :