This instruction explains how to setup DNSSEC validation with the Unbound resolver for DNS. A companion article on BIND also exists. Note that Unbound has been written for security from the ground up, and carries less history than BIND. Install. We used Unbound 1.4.5 on Debian Linux. Variations should work; there is even a prebuilt […]
DNSSEC introduces a signature hierarchy on grounds of domain ownership. This means that first-contact situations can be validated under domains; powerful examples are SSH fingerprints, X.509 and OpenPGP certificates, and contact information, all of which can be specified in dedicated DNS records.
In a previous post we addressed access control on the network level. This post will focus on access control in various ways on the signer machine. User access control The most basic – but nevertheless important – way of controlling access is by determining which users need access to the signer machine and the potentially […]
Introduction A big part of the security of our infrastructure is determined by the access control we enforce on all the components that form the DNSSEC signer infrastructure. Access control is important on several levels: Network level Access to machines and user privileges on these machines Access to sensitive data on the signer HSM roles […]
DNS data is spread accross the internet, at different levels of maturity. When activating or de-activating DNSSEC, it is important to ripple the data through the various servers in a known-good order, with known-good time delays built into the process.
We let customers edit their zone data through a web-interface. What we intend to do is make DNSSEC a mere toggle in that interface, and conceal the technical complications from their view.