DNSSEC Made Easy, presented at PHNOG 2025
0 likes249 views
Arth Paulite, Infrastructure Services Manager at APNIC, delivered a presentation titled 'DNSSEC Made Easy' at PHNOG 2025 held in Manila, Philippines from 7 to 11 July 2025.
DNSSEC Made Easy, presented at PHNOG 2025
- 1. 1 DNSSEC Made Easy Arth Paulite APNIC Infrastructure Services
- 2. 2 2 What is DNSSEC • Domain Name System Security Extension • Protect integrity and authenticity of DNS data • Uses digital signatures similar to e-mail • DNSSEC signing – DNS response is signed by authoritative DNS server • DNSSEC validation – DNS resolver verify signature using public key
- 3. 3 3 DNSSEC Signing • What is it? – The process of digitally signing DNS records using cryptographic keys. – Ensures that DNS data (A, MX, TXT records) hasn’t been tampered with. • Who does it? – Domain owners or their hosting providers • How it works? – Zone file is signed by their private key – Copy of public key is published in parent zone • Purpose – To prove authenticity and Integrity of DNS data.
- 4. 4 4 DNSSEC validation • What is it? – The process of verifying digital signatures during DNS resolution • Who does it? – DNS resolvers ( ISPs or public DNS services like 1.1.1.1, 8.8.8.8 ) • How it works? – Resolver checks the signature (RRSIG) on DNS records – It follows the chain of trust from root zone down to domain – If signature is valid and chain is intact, the data is accepted • Purpose – To protect users from getting forged DNS responses
- 5. 5 5 DNSSEC key components • Traditional or – Zone Signing Key (ZSK) • Used to sign individual DNS records – Key Signing Key (KSK) • Used to sign ZSK and KSK • Delegation Signer (DS) – Copy of public key (hash) published in parent zone – Links child zone to parent zone for DNSSEC chain of trust • Simple – Combined Signing key (CSK) • Single key used as KSK and ZSK
- 6. 6 6 Where do I start • Use DNSSEC validation everywhere – Home, work and especially public network • Test your connection - https://internet.nl • Use public DNS like 1.1.1.1 or 8.8.8.8 – Running your own DNS Resolver (Opensource) • BIND - Internet Systems Consortium (ISC) • Unbound - NLNet Labs • Knot - CZ.NIC, Operator of .CZ ccTLD • PowerDNS - Open-Xchange
- 7. 7 7 PH DNSSEC validation rate
- 8. 8 8 DNSSEC signing for domain owner • Use hosting provider with DNSSEC support – Amazon Route53, Quad9 – Cloudflare free account • Sufficient basic web caching • Free DNS hosting • Automatic DNSSEC signing • Running your own DNSSEC signer – Bind – Knot – PowerDNS
- 9. 9 9 Challenges in DNSSEC signing • DNSSEC policy – DNSSEC key specs • algorithm, length – Key timings • Key expiry • Safely retiring used keys – Signature timings • Signature validity • Signature refresh – Zone timings – Key rollover • Regular key replacement • Generating DS record • DS record registration to parent • Operational overhead – Additional tooling – Monitoring – Additional resource, expertise
- 10. 10 10 Automated DNSSEC policy Applying default policy zone ”paulite.art" { type primary; file "db.paulite.art"; dnssec-policy default; }; Bind-9.20 default DNSSEC policy dnssec-policy "default" { keys { lifetime unlimited algorithm ecdsa256; }; ... # Key timings dnskey-ttl PT1H; publish-safety PT1H; retire-safety PT1H; purge-keys P90D; ... # Signature timings signatures-refresh P5D; signatures-validity P14D; signatures-validity-dnskey P14D; ... # Zone parameters max-zone-ttl P1D; zone-propagation-delay PT5M; parent-ds-ttl P1D; parent-propagation-delay PT1H; };
- 11. 11 11 Automated DS record registration • RFC 7344 – Automating DNSSEC Delegation Trust Maintenance – Child Delegation Signer (CDS) – Child DNSKEY (CDNSKEY) – Describes how child zones can signal changes to their DS records in the parent zone • RFC 8078 – Managing DS Records via CDS/CDNSKEY – Framework for registries to safely implement RFC7344 • Registry supporting automated DS record registration – .ch - Switzerland ccTLD – .cz - Czech Republic ccTLD
- 12. 12 Manual DS registration • Perform DNS query for CDS % dig cds paulite.art paulite.art. CDS 31498 13 2 ABA02B050B629888C281BA33B208A188AB1… • Where: ➢ 31498 - key tag or key ID ➢ 13 - algorithm refers to ECDSAP256SHA256 ➢ 2 - refers to hash algorithm RSA SHA256 ➢ The last part is the 64 hex digit hash of public key
- 13. 13 Manual DS record registration godaddy.com DS registration
- 14. 14 14 Monitoring – dnsviz.net . ( root ) .art paulite.art Status paulite.art DNSSEC status
- 15. 15 15 Summary • DNSSEC validation – Can be easily achieve using public DNS – Opensource resolvers perform validation by default • DNSSEC signing – Bind-9.20 “default” policy is a good starting point • Uses recommended algorithm – ECDSAP256SHA256 • Default timings are within recommended range • Uses CSK that does not expire • Creates CDS record letting parent pickup DS if supported • Built-in tool (RNDC) for key rollover – References • ISC knowledge base – https://kb.isc.org • APNIC Academy - Hands-on DNS/DNSSEC lab exercise
- 16. 16 16 Thank you!