Need guidance on configuring DNSSEC

David Newman dnewman at networktest.com
Fri Oct 11 17:55:13 UTC 2013 

On 10/11/13 7:32 AM, Vishal Gandhi wrote:

> We are planning to sign local zone (fdu.local).  Is it required to sign
> the parent zone (fdu.edu <http://fdu.edu>) as well or we can live with
> it unsigned?
> What are pros and cons of signing parent zone (fdu.edu <http://fdu.edu>)?

DNSSEC is based on a chain of trust, where a subdomain is trusted only
if the parent domain vouches for it. So, "." validates "edu" and so on.

It is possible to create an "island of trust" for a local zone. This
works OK, but only if there's never a requirement for nonlocal traffic
to verify DNSSEC signatures.

The major advantage of signing the parent zone is that Internet-facing
hosts (and those NAT'd or proxied to face the Internet) won't be
vulnerable to most hijacking and spoofing attacks we have with DNS
today. There are also some neat DNSSEC tricks possible, such as
distributing SSH keys and even self-signed certs once a chain of trust
is established.

The downsides are (1) DNSSEC is still a little involved to configure and
manage and (2) a configuration mistake can make your zone disappear from
the global Internet.

On point 1, you'll probably want to upgrade to Bind 9.9 for better
automatic key management. You'll also need to verify that your network
is DNSSEC-ready, and that your registrar supports loading of DS keys.
For the former, there's a good check here:

https://www.dns-oarc.net/oarc/services/replysizetest

On point 2, of course it's also possible to screw up a regular DNS
configuration. DNSSEC just gives you more opportunities. . .

If you haven't got it already, I'd strongly recommend "DNSSEC Mastery"
by Michael W. Lucas. It's very readable and covers both regular and
islands-of-trust configuration with Bind 9.9.

dn


> 
> We've found information on signing zones on AD at least.  Can some one
> provide us steps to enable and configure DNSSEC for our domains.
> 
> Thanks in advance.
> OIRT Signature
> fdu logo 	
> Vishal K. Gandhi
> Systems Analyst/E-Mail Specialist
> University Systems and Security
> *1000 River Road, Teaneck NJ 07666*
> Mail Stop: T-BH1-01
> phone: 201-692-2414 | fax: 201-692-2494 | email: vgandhi at fdu.edu
> <mailto:vgandhi at fdu.edu>
> "Fairleigh Dickinson University will never
>                                  ask for your password. Please do not
> share it with others!"
> 
> 
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

More information about the bind-users mailing list