Category: DNSSEC

Valuable Info In EU’s “Good Practices Guide” for DNSSEC Deployment

Looking for a good concise guide to the security issues and procedures related to deploying DNSSEC?  Back in March 2010, the European Network and Information Security Agency (ENISA) issued their “Good Practices Guide For Deploying DNSSEC” with the abstract:

Deploying DNSSEC requires a number of security details and procedures to be defined and followed with specific requirements as to timing. This guide addresses these issues from the point of view of information security managers responsible for defining a policy and procedures to secure the DNS services of a company or an organisation, and from the point of view of competent authorities defining or regulating requirements for deployment.

Coming in at only 29 pages, the document provides a good overview of the issues you need to be thinking about and the steps you need to go through when deploying DNSSEC. While the guide was created prior to the signing of the root zone in July 2010, it still is very accurate in outlining what needs to be done.

Well worth a look if you are looking for whitepapers and similar documents around DNSSEC deployment.

ICANN DNSSEC Workshop March 14 in Costa Rica

ICANN 43 LogoWill you be at the ICANN 43 meeting taking place in San José, Costa Rica, in March 2012?  If so, on Wednesday, March 14, 2012, there will be a “DNSSEC Workshop” bringing together people to discuss current and future DNSSEC deployment.  Information is not yet available on the ICANN 43 website, but the call for proposals indicated that they were seeking talks on:

1. DNSSEC activities in Latin America

2. The realities of running DNSSEC

3. DNSSEC and the Finance Industry

4. When unexpected DNSSEC events occur

5. DNSSEC in the wild

6. DANE and other DNSSEC applications

I (Dan York) will be there in Costa Rica at the session and am definitely looking forward to joining in the conversation and listening and learning.  If you will be there at the session, please do say hello (or drop me a note in advance).  You can also expect to see information posted here to our blog coming out of that session.

P.S. If you want to attend, there is still time to register for the ICANN 43 meeting.  I’m told the DNSSEC Workshop will also be streamed live. As soon as we have the live-streaming information we’ll post that here.

NLnet Labs Makes Their DNSSEC Training Materials Freely Available For All To Use

Want to offer your own DNSSEC training courses? Or want to run an internal DNSSEC training class? Or want to give a DNSSEC presentation to a local user group? Or are you simply looking for material to help you learn more about DNSSEC?

If you answered yes to any of those questions, Olaf Kolkman and the team at NLnet Labs have given the Internet community a wonderful gift in the form of DNSSEC course materials that are freely available for usage and modification (subject to attribution). The slides are all part of a DNSSEC “Train the Trainer” course that Olaf recently gave and are available in PowerPoint, Keynote and PDF form from:

http://www.dns-school.org/Slides/index.html

The materials are licensed under a permissive Creative Commons license that basically lets you do whatever you want to the materials, including modify them and use them for commercial training, provided you include the appropriate attribution link.

It’s great that the NLnet Labs team has made this material available and we hope that people across the Internet find it a useful way to teach about DNSSEC and get more people using DNSSEC!

Thanks, Olaf and NLnet Labs!

ENISA: Good Practices Guide For Deploying DNSSEC

In March 2010, the European Network and Information Security Agency (ENISA) issued their “Good Practices Guide For Deploying DNSSEC” with the abstract:

Deploying DNSSEC requires a number of security details and procedures to be defined and followed with specific requirements as to timing. This guide addresses these issues from the point of view of information security managers responsible for defining a policy and procedures to secure the DNS services of a company or an organisation, and from the point of view of competent authorities defining or regulating requirements for deployment.

While the document was created prior to the signing of the root zone in July 2010, the concise 29-page guide still provides a good overview of what is involved with working with DNSSEC and provides good guidelines for using and implementing DNSSEC.

The Table of Contents for the document is:

  • DNSSEC practices statement
  • Signing your zone
    • Value of a signed zone
    • Designing a signing system
    • Signing in a test environment
    • Checking the DNS servers
    • Key generation and management
    • Physical security
    • Use of NSEC3
    • Key rollovers
    • Performance issues
    • Publication of keys
    • Change of registrar
    • Change a zone from signed to unsigned
    • Change of domain holder (registrant)
  • Selecting a product
  • Outsourcing
  • Change of DNS provider
  • Validating DNS queries
    • Configure trust anchors
    • Routers, firewalls and other network equipment
  • Conclusions
  • ANNEX 1: Contents of a TAR’s policy and practices
  • ANNEX 2: Support of DNSSEC on commonly used nameservers
  • Reference

The document is available for free download in PDF form from the ENISA website.

DNSSEC Training: Internet Systems Consortium (ISC)

The Internet Systems Consortium (ISC), authors and maintains of the BIND DNS server, have been providing DNSSEC-related training for several years at both conferences and in training centers all over the world. Their latest schedule of courses can be found at:

http://www.isc.org/support/training

ISC offers focused classes on DNSSEC and also includes DNSSEC as a component of other DNS-related classes. Note that ISC also provides IPv6 training classes.


The Internet Society Deploy360 Programme does not recommend or endorse any particular commercial providers of training. The information provided here is to assist people in finding training providers and is part of a larger effort to list all known providers of DNSSEC-related training. If you know of an additional training providers we should include, please contact us.


DNSSEC Training: NLnet Labs Course Materials (Slides)

In February 2012, Olaf Kolkman from NLnet Labs taught a 2-day DNSSEC “Train-The-Trainer” workshop and nicely made all his course materials available online at:

http://www.dns-school.org/Slides/index.html

Olaf made all his courseware available as PDF, PowerPoint and Keynote files under a Creative Commons license that allows the course materials to be copied, modified and even used for commercial purposes – provided that an attribution link is maintained.

It’s great to see this kind of material being made available and we thank Olaf and NLnet Labs for making this material available to the broader community at no cost.

For quick reference, here are the sections of the NLnet Labs course materials (links go directly to the NLnet Labs site):

DNS vulnerabilities PDF KEY PPT
Unbound PDF KEY PPT
DNSSEC Theory PDF KEY PPT
Troubleshooting PDF KEY PPT
Practicalities PDF KEY PPT
DNSSEC Key Rollover PDF KEY PPT
OpenDNSSEC PDF KEY PPT
DNS in a Workflow PDF KEY PPT

DNSSEC And The Challenge Of Modern Websites

queries of modern websitesGiven that modern websites often pull content from a variety of different sites to build a single page, what impact does that have on DNSSEC and providing the security that it does?

That was one of the questions raised in a recent post by the DNSSEC Deployment Initiative titled “Are You Secure?” This key point was emphasized in this paragraph:

It shouldn’t come as a surprise to you that your browser was trying to load content from badsign-a.testsub.dnssec-deployment.org although you had not typed that in the address bar. More generally, it shouldn’t be surprising that it requires more than a single DNS lookup to fill the contents of a page. In fact, as the query trace from loading a relatively simple page such as www.dnssec-deployment.org illustrates below, an un-primed resolver easily performs in excess of a hundred lookups before the browser renders the complete page. Some of these queries are not even for names under the dnssec-deployment.org domain. For more content-packed sites the number of names looked up is even higher.

The way we build websites today does very often involve pulling in content from a variety of different sites.  Sometimes it is something as simple as the latest jquery JavaScript library.  Sometimes it is images or advertisements.  Sometimes it is the latest tweets or other content from social networks.

The article goes on to talk about the value of moving DNSSEC validation directly into the application, such as the web browser, so that all DNS queries can be properly validated. The author ends on this note:

It is also important, given that web pages are typically composed of a number of discrete elements, that validation be performed for all lookups initiated by the browser and not just for the name typed in the address bar. Many browser plugins for DNSSEC support will validate only the latter; while that capability is certainly useful, the real benefit of local validation is realized only when the browser (or the OS) completely integrates DNSSEC validation capability into its internal resolver library and enables validation for all queries.

The good news is that browser vendors (and their user communities) have been showing increased interest in seeing DNSSEC capability extended to the end-applications. Proof-of-concept implementations of browsers with DNSSEC validation support (e.g., the DNSSEC-Tools Firefox patch) have been available for a while, and with DNSSEC validation capability being continuously extended to new platforms and devices, there is hope that DNSSEC capability in browsers will eventually become more commonplace.

We certainly share that hope that DNSSEC capability in browsers and other applications will become more commonplace. A goal of this entire Deploy360 Programme is to help bring that widespread availability about.

Application developers… have you checked out the developer libraries available now to help add DNSSEC support to your applications?   Have you looked at what is available in the DNSSEC Tools project?

What else can we do to help you build DNSSEC into your applications?

P.S. In my case, I did see the correct image on the DNSSEC Deployment Initiative web pages, but that is because I’m running a local DNSSEC-validating DNS resolver on my MacBook Pro laptop.  I’m using the excellent DNSSEC-Trigger tool from NLnet Labs – it’s available for Mac OS X, Windows or Linux.

DNSSEC HOWTO, a tutorial in disguise

DNSSEC HOWTOLooking for a comprehensive guide to what DNSSEC is all about?  If so, Olaf Kolkman and the team at NLnet Labs have created and maintained for many years now the extremely detailed “DNSSEC HOWTO, a tutorial in disguise.” You can find it at:

http://www.nlnetlabs.nl/publications/dnssec_howto/

It is available as both a web page and as a PDF for download.

The document was last updated in July 2009, which unfortunately means that it pre-dates the signing of the root zone in July 2010 and therefore does not truly represent the current state of affairs with regard to DNSSEC.  However, the document is still an excellent resource for anyone looking to learn more about DNSSEC in general.

The HOWTO is a long document that covers a great range of material related to DNSSEC.  As Olaf Kolkman writes in the beginning, the document includes:

Part I, intends to provide some background for those who want to deploy DNSSEC.Part II, about the aspects of DNSSEC that deal with data security.

Part III, describes a few tools that may turn out handy while figuring out what might have gone wrong.

We understand that the NLnet Labs team would like to update the document and would welcome any contributions of time to help bring the document up-to-date. If you are interested, we suggest you contact NLnet Labs at labs@nlnetlabs.nl.

DNSSEC-Tools Project

Dnssec tools projectThe goal of the DNSSEC-Tools Project is “to create a set of software tools, patches, applications, wrappers, extensions, and plugins that will help ease the deployment of DNSSEC related technologies.” The project website is at:

http://www.dnssec-tools.org/

There you will find information about the available tools, tutorials, installation information and of course the actual DNSSEC tools available for download in a number of different formats for different operating systems.

The available DNSSEC tools can be broken down into the following categories:

  • Zone Administration Tools
  • Authoritative Domain Name Server Tools
  • Recursive Domain Name Server Tools
  • Application/Script Writers
  • End Users (patches to add DNSSEC support to applications like Firefox, sendmail, jabberd, etc.)
  • DNS Error Checking Tools
  • DNSSEC Management Tools

The DNSSEC-Tools Project is open to public participation and operates a wiki full of documentation a number of public mailing lists, a public bug tracker, and a Subversion/SVN repository.

DNSSEC-Tools 1.12.1 Released – New DNSSEC apps, updated tools, Android support, more…

Dnssec tools projectThe DNSSEC-Tools Project today announced the release of DNSSEC-Tools version 1.12.1 with a range of new DNSSEC applications, updates to a number of tools and porting of the DNSSEC validator library to the Android platform.

The new release can be downloaded in various forms from:

https://www.dnssec-tools.org/download/

The release announcement mentions these new features and capabilities:

  • A new and improved DNSSEC-check utility with a completely re-written GUI and support for a number of platforms including Android and Harmattan (N9) devices.
  • dnssec-nodes now parses unbound log files
  • dnssec-system-tray now parses unbound log files
  • rollerd
    • Added support for phase-specific commands in rollerd. This allows the zone operator to customize processing of the rollerd utility during different rollerd phases.
    • Added support for zone groups in rollerd. This allows a collection of zones to be controlled as a group, rather each of those zones individually.
    • Improved the manner in which rollerd indexes the zones being managed, with the significantly decreased access times for rollerd’s data files. This results in rollerd being able to support a lot more zones with a single rollerd instance.
    • rollctl and the rollover GUI programs may have new commands to allow for immediate termination of rollerd.
  • New DNSSEC-capable applications
    • Added a patch to enable DNSSEC validation in Qt based applications
    • Added patch to enable local validation in NTP, with the ability to handle a specific chicken and egg problem related to the interdependency between DNSSEC and an accurate system clock.
  • Validator library:
    • The library has been ported to the Android OS
    • Added support for hard-coding validator configuration information that gets used in the absence of other configuration data. This feature allows the validator library to be self-contained in environments where setting up configuration data at specific locations in the file system is not always feasible.

It’s very cool to see these new features added and we look forward to seeing what developers build with these new capabilities!

P.S. The DNSSEC-Tools project also seems to have a brand new Twitter account, @DNSSECTools, that could use some followers! ;-)