HOWTO turn Unbound into a Validating Resolver

Written by Rick van Rein in category: Procedures, Security, Technical, Users

This instruction explains how to setup DNSSEC validation with the Unbound resolver for DNS. A companion article on BIND also exists. Note that Unbound has been written for security from the ground up, and carries less history than BIND. Install. We used Unbound 1.4.5 on Debian Linux. Variations should work; there is even a prebuilt […]


Picking the fruits of using DNSSEC

Written by Rick van Rein in category: Crypto, Security, Technical, Users

DNSSEC introduces a signature hierarchy on grounds of domain ownership. This means that first-contact situations can be validated under domains; powerful examples are SSH fingerprints, X.509 and OpenPGP certificates, and contact information, all of which can be specified in dedicated DNS records.


Access control (#2: the signer)

Written by Roland van Rijswijk in category: Architecture, Policy, Procedures, Security

In a previous post we addressed access control on the network level. This post will focus on access control in various ways on the signer machine. User access control The most basic – but nevertheless important – way of controlling access is by determining which users need access to the signer machine and the potentially […]

No Comments

Access control (#1: Network level)

Written by Roland van Rijswijk in category: Architecture, Policy, Security

Introduction A big part of the security of our infrastructure is determined by the access control we enforce on all the components that form the DNSSEC signer infrastructure. Access control is important on several levels: Network level Access to machines and user privileges on these machines Access to sensitive data on the signer HSM roles […]

No Comments

Why it takes time to switch DNSSEC on and off

Written by Rick van Rein in category: Security, Timing, Users

DNS data is spread accross the internet, at different levels of maturity. When activating or de-activating DNSSEC, it is important to ripple the data through the various servers in a known-good order, with known-good time delays built into the process.

No Comments

DNSSEC as a push-button service

Written by Rick van Rein in category: Security, Users

We let customers edit their zone data through a web-interface. What we intend to do is make DNSSEC a mere toggle in that interface, and conceal the technical complications from their view.

No Comments