Manually checking DNSSEC signatures

Written by Rick van Rein in category: Crypto, Procedures, Security, Technical

At some point while running DNSSEC, you will wonder if the base64 blobs in RRSIG and DNSKEY records are actually correct. We specify a few procedures that we follow to have Python calculate signatures if that happens to us. In what follows below, we are assuming that all your RSA public keys are in DNS; […]


Monitoring HSM memory usage

Written by Roland van Rijswijk in category: Crypto, Procedures, Resilience, Security, Technical

If, like us, you use an HSM to store your DNSSEC key material you may know that it is important to monitor memory usage in your HSM; with a typical DNSSEC key management scheme you may have as many as 5 keys active per signed domain. This can be a burden on your HSM, especially […]


Procedure: Key backup and recovery

Written by Rick van Rein in category: Crypto, Procedures

Making backups is a regular task. Recovering from a backup is only done when both Hardware Securite Modules (or HSMs) have lost their data; if only one got damaged, follow the procedure for HSM replacement.

No Comments

Cryptographic sanity: NSEC3 parameters

Written by Rick van Rein in category: Crypto, Security

One of the factors that delayed the adoption of DNSSEC has been the privacy of the information stored in it. This is a topic of debate, as DNS has always been designed as a public database, but the Internet of today cannot be reigned from purely technical motivations. The problem is with securely denying a […]


How many keys #2

Written by Roland van Rijswijk in category: Architecture, Crypto, Technical

For a paper I’m writing on state-of-the-art cryptography and applications of cryptography I’ve drawn a picture of the complete trust chain required to validate the answer to a query for (which is in one of our test domains and is a CNAME pointing to this blog). It really drives home how complex DNSSEC can […]


Cryptographic sanity: Key sizes

Written by Rick van Rein in category: Crypto, Timing

In our architecture, we consider three levels of users: End users who understand DNS at a conceptual level Operators who understand DNS at an operational level Security officers who are mindful about the cryptographic intricacies of DNSSEC After initial setup has been done, a security officer only needs to oversee the secure operation of the […]

No Comments

Cryptographic sanity: How many keys?

Written by Rick van Rein in category: Crypto, Resilience, Security

In our architecture, we opt for Hardware Security Modules (or HSMs) as secure key stores. This helps us with high-availability of key material, and thus of our signed domains, but it also poses us with some limitations. An HSM generally has a limited number of keys that it can store. Had we opted for a […]


Picking the fruits of using DNSSEC

Written by Rick van Rein in category: Crypto, Security, Technical, Users

DNSSEC introduces a signature hierarchy on grounds of domain ownership. This means that first-contact situations can be validated under domains; powerful examples are SSH fingerprints, X.509 and OpenPGP certificates, and contact information, all of which can be specified in dedicated DNS records.