HSM backup considerations

Written by Rick van Rein in category: Architecture, Resilience, Technical, Timing

When you start to support DNSSEC, you are suddenly supposed to manage the keys used to sign the domain. This is a typical task for a security officer. Typical concerns are to conceal the private keys from outside-world prying eyes, and to avoid losing keys as long as the outside world needs them to trust […]

No Comments

HOWTO turn BIND into a Validating Resolver

Written by Rick van Rein in category: Procedures, Security, Technical, Users

This instruction explains how to setup DNSSEC validation with the BIND resolver for DNS. A companion article on Unbound also exists. Note that Unbound has been written for security from the ground up, and carries less history than BIND. Install. We used BIND 9.7.1-P2 on Debian Linux. Variations should work; there even is a prebuilt […]

2 Comments

HOWTO turn Unbound into a Validating Resolver

Written by Rick van Rein in category: Procedures, Security, Technical, Users

This instruction explains how to setup DNSSEC validation with the Unbound resolver for DNS. A companion article on BIND also exists. Note that Unbound has been written for security from the ground up, and carries less history than BIND. Install. We used Unbound 1.4.5 on Debian Linux. Variations should work; there is even a prebuilt […]

2 Comments

Verifying the root trust anchor

Written by Roland van Rijswijk in category: General

Before you start using the root trust anchor, it is very important to verify it. ICANN has specified several methods for doing this. We relied on the PGP signature made by one of the trusted community representatives, Olaf Kolkman of NLnet Labs. Again, please make sure that you validate the trust anchor before you start […]

1 Comments

Now that the root is signed…

Written by Roland van Rijswijk in category: General

Today was a big milestone in the deployment of DNSSEC on the Internet with the signing of the root zone. For system administrators of recursive caching name servers – or as they are colloquially known, resolvers – this is good news. For the first time ever, they can configure a trust anchor for the root […]

1 Comments

Time to celebrate: the root was signed today

Written by Roland van Rijswijk in category: General

July 15th 2010 is a very special day… today the root zone of the Internet was signed using DNSSEC! Time for cake 🙂

1 Comments

Picking the fruits of using DNSSEC

Written by Rick van Rein in category: Crypto, Security, Technical, Users

DNSSEC introduces a signature hierarchy on grounds of domain ownership. This means that first-contact situations can be validated under domains; powerful examples are SSH fingerprints, X.509 and OpenPGP certificates, and contact information, all of which can be specified in dedicated DNS records.

1 Comments

The power of idempotence

Written by Rick van Rein in category: Architecture, Resilience

If any design principle has been leading our architectural work around resilience for DNSSEC, it has been idempotence. It is one of those algebraic concepts that really helps to beat sense into a complex set of choices. Idempotence means that doing the same thing twice is no different from doing it once. Painting orange on […]

No Comments

Access control (#2: the signer)

Written by Roland van Rijswijk in category: Architecture, Policy, Procedures, Security

In a previous post we addressed access control on the network level. This post will focus on access control in various ways on the signer machine. User access control The most basic – but nevertheless important – way of controlling access is by determining which users need access to the signer machine and the potentially […]

No Comments

Access control (#1: Network level)

Written by Roland van Rijswijk in category: Architecture, Policy, Security

Introduction A big part of the security of our infrastructure is determined by the access control we enforce on all the components that form the DNSSEC signer infrastructure. Access control is important on several levels: Network level Access to machines and user privileges on these machines Access to sensitive data on the signer HSM roles […]

No Comments