February 9, 2012 archive

Looking for a comprehensive guide to what DNSSEC is all about?  If so, Olaf Kolkman and the team at NLnet Labs have created and maintained for many years now the extremely detailed “DNSSEC HOWTO, a tutorial in disguise.” You can find it at:

http://www.nlnetlabs.nl/publications/dnssec_howto/

It is available as both a web page and as a PDF for download.

The document was last updated in July 2009, which unfortunately means that it pre-dates the signing of the root zone in July 2010 and therefore does not truly represent the current state of affairs with regard to DNSSEC.  However, the document is still an excellent resource for anyone looking to learn more about DNSSEC in general.

The HOWTO is a long document that covers a great range of material related to DNSSEC.  As Olaf Kolkman writes in the beginning, the document includes:

Part I, intends to provide some background for those who want to deploy DNSSEC.Part II, about the aspects of DNSSEC that deal with data security.

• Creating an island of security (Chapter 2, ”Configuring a recursive name server to validate answers” and Chapter 3, ”Securing a DNS zone”) by configuring a recursive name server to validate the signed zones served by your organisations authoritative name servers. When you have learnt and implemented this, you can be sure that DNS data in your organisation is protected from change. Once you have created an island of security it is a small step to become part of a chain of trust.
• Delegating signing authority; building a chain of trust (Chapter 4, ”Delegating of signing authority; becoming globally secure”). You will learn how to exchange keys with your parent and with your children.
• Chapter 5, ”Rolling keys” covers maintaining keys and ensuring that during the rollover process clients will be able to maintain a consistent view of your DNS data.
• Part IV, covering aspects that deal with server to server security and transaction security.
• Chapter 9, ”Securing zone transfers” is on the use of transaction security (TSIG) to provide authorisation and integrity for zone transfers.

Part III, describes a few tools that may turn out handy while figuring out what might have gone wrong.

We understand that the NLnet Labs team would like to update the document and would welcome any contributions of time to help bring the document up-to-date. If you are interested, we suggest you contact NLnet Labs at labs@nlnetlabs.nl.