At some point while running DNSSEC, you will wonder if the base64 blobs in RRSIG and DNSKEY records are actually correct. We specify a few procedures that we follow to have Python calculate signatures if that happens to us. In what follows below, we are assuming that all your RSA public keys are in DNS; […]
How can the Drill utility be used to ensure properly signed zones? When a zone encounters a problem, it is helpful to dig around in DNS, possibly probing the authoritatives directly to bypass validating resolvers. This will yield information, but not actually check signatures. The Drill utility is a replacement of Dig, and can actually […]
If, like us, you use an HSM to store your DNSSEC key material you may know that it is important to monitor memory usage in your HSM; with a typical DNSSEC key management scheme you may have as many as 5 keys active per signed domain. This can be a burden on your HSM, especially […]
This procedure is needed when one (not both) Hardware Security Module (or HSM) has failed. Before doing this, it should be established that there is no repair possible.
This is a nasty procedure that must only be performed if private key material of ZSK and/or KSK is (or may have been) compromised. It always leads to temporary unsatisfactory performance, which is why the chances for this are virtually eliminated with our architecture: either the domain drops out of validating resolvers, or it becomes insecure.
Every once in a while, for example once a year, the KSK for each zone needs to be rolled over. This involves communication with the parent zone, making it a little more complicated than internal-only procedures.
We are working towards a DNS signing system with various roles at a number of levels. At each of these levels we assign responsibilities, many of which will not be new to the people involved. We are not primarily worried about people with bad intentions (wihtin our organisation), so we do not split roles as […]
One of the factors that delayed the adoption of DNSSEC has been the privacy of the information stored in it. This is a topic of debate, as DNS has always been designed as a public database, but the Internet of today cannot be reigned from purely technical motivations. The problem is with securely denying a […]
In our architecture, we opt for Hardware Security Modules (or HSMs) as secure key stores. This helps us with high-availability of key material, and thus of our signed domains, but it also poses us with some limitations. An HSM generally has a limited number of keys that it can store. Had we opted for a […]
This instruction explains how to setup DNSSEC validation with the BIND resolver for DNS. A companion article on Unbound also exists. Note that Unbound has been written for security from the ground up, and carries less history than BIND. Install. We used BIND 9.7.1-P2 on Debian Linux. Variations should work; there even is a prebuilt […]