Manually checking DNSSEC signatures

Written by Rick van Rein in category: Crypto, Procedures, Security, Technical

At some point while running DNSSEC, you will wonder if the base64 blobs in RRSIG and DNSKEY records are actually correct. We specify a few procedures that we follow to have Python calculate signatures if that happens to us. In what follows below, we are assuming that all your RSA public keys are in DNS; […]

2 Comments

Using Drill to validate signatures

Written by Rick van Rein in category: General, Procedures, Security, Technical

How can the Drill utility be used to ensure properly signed zones? When a zone encounters a problem, it is helpful to dig around in DNS, possibly probing the authoritatives directly to bypass validating resolvers. This will yield information, but not actually check signatures. The Drill utility is a replacement of Dig, and can actually […]

No Comments

Monitoring HSM memory usage

Written by Roland van Rijswijk in category: Crypto, Procedures, Resilience, Security, Technical

If, like us, you use an HSM to store your DNSSEC key material you may know that it is important to monitor memory usage in your HSM; with a typical DNSSEC key management scheme you may have as many as 5 keys active per signed domain. This can be a burden on your HSM, especially […]

2 Comments

Procedure: Replacing a failed HSM

Written by Rick van Rein in category: Procedures, Resilience, Security

This procedure is needed when one (not both) Hardware Security Module (or HSM) has failed. Before doing this, it should be established that there is no repair possible.

No Comments

Procedure: Emergency ZSK/KSK rollover

Written by Rick van Rein in category: Procedures, Security, Timing

This is a nasty procedure that must only be performed if private key material of ZSK and/or KSK is (or may have been) compromised. It always leads to temporary unsatisfactory performance, which is why the chances for this are virtually eliminated with our architecture: either the domain drops out of validating resolvers, or it becomes insecure.

No Comments

Procedure: Normal KSK rollover and parent sync

Written by Rick van Rein in category: Procedures, Resilience, Security

Every once in a while, for example once a year, the KSK for each zone needs to be rolled over. This involves communication with the parent zone, making it a little more complicated than internal-only procedures.

No Comments

Actor responsibilities towards DNSSEC

Written by Rick van Rein in category: Procedures, Security, Technical, Users

We are working towards a DNS signing system with various roles at a number of levels. At each of these levels we assign responsibilities, many of which will not be new to the people involved. We are not primarily worried about people with bad intentions (wihtin our organisation), so we do not split roles as […]

No Comments

Cryptographic sanity: NSEC3 parameters

Written by Rick van Rein in category: Crypto, Security

One of the factors that delayed the adoption of DNSSEC has been the privacy of the information stored in it. This is a topic of debate, as DNS has always been designed as a public database, but the Internet of today cannot be reigned from purely technical motivations. The problem is with securely denying a […]

1 Comments

Cryptographic sanity: How many keys?

Written by Rick van Rein in category: Crypto, Resilience, Security

In our architecture, we opt for Hardware Security Modules (or HSMs) as secure key stores. This helps us with high-availability of key material, and thus of our signed domains, but it also poses us with some limitations. An HSM generally has a limited number of keys that it can store. Had we opted for a […]

1 Comments

HOWTO turn BIND into a Validating Resolver

Written by Rick van Rein in category: Procedures, Security, Technical, Users

This instruction explains how to setup DNSSEC validation with the BIND resolver for DNS. A companion article on Unbound also exists. Note that Unbound has been written for security from the ground up, and carries less history than BIND. Install. We used BIND 9.7.1-P2 on Debian Linux. Variations should work; there even is a prebuilt […]

2 Comments