Category: NLnet Labs

How secure is your DNSSEC infrastructure? If you operate a registry for a top-level domain (TLD) or if you are a DNS operator providing DNSSEC signing services, how secure are your operations?  And how secure are your mechanisms for communicating DNSSEC information with registrars and other entities?  Or, if you are a security auditor or researcher, how can you best assess the security of your client’s DNSSEC infrastructure?

To help assess DNSSEC infrastructure and answer questions like these, the great folks at NLnet Labs recently released a “DNSSEC Infrastructure Audit Framework” available publicly for anyone to use.  You can download the document and use it as a checklist to audit your own infrastructure or that of someone else.

As noted in the introduction, this document is not intended to be any kind of formal standard or assessment, but rather a guide and checklist to help people looking to understand how secure their DNSSEC infrastructure is:

A DNSSEC audit is the process of structural examination of a DNSSEC infrastructure. The purpose of this process is to evaluate the level of assurance of the system. This is achieved by reviewing the implementation and operation of the system controls and whether they are in compliance with the corresponding policy requirements or, in absence of formal policies, with best current industry practices.

A key document for performing an audit is a review checklist. The review checklist provides structure of the actual work and gives confidence that the audit scope is adequately covered. This document is a generic checklist for a DNSSEC review and provides a framework that assists auditors to perform an actual DNSSEC audit. However, the actions herein do not conform any formal audit standards and are merely intended to provide directions of how an audit might look like.

This document is neither standard nor best practice and is not suitable for any form of formal certification. Its intention is to offer a basis for a structured review of a DNSSEC environment.

The authors welcome feedback on this document so that it can mature. The licensing terms of the document are such that any entity may modify and publish the document on their own terms as long as NLnet Labs is being acknowledged. Incorporation in other documents, including standards is encouraged.

This is great contribution to the larger work of DNSSEC deployment and we thank Matthijs Mekking and Olaf Kolkman for both writing this document and then also making it public under a lenient license.

We hope many of you will find it helpful and do encourage you to provide feedback to Matthijs and Olaf. Using documents like this we can make the Internet more secure!

Looking for a quick weekend project to learn more about DNSSEC? Want to set up your home network to correctly validate DNSSEC info?

If so, the NLnet Labs team just announced the 0.10 release of DNSSEC-Trigger, a local DNSSEC-validating resolver you can run on your Linux, Windows or Mac OS X system.

Per the change log on the project page, version 0.10 includes the following changes:

• truncate pidfile (just like NSD fix, in case directory not owned).
• If hotspot-signon, set override servers right away on a network change, so the user does not have to wait for 10 seconds after a change of the wifi.
• Attempt to add DHCPv6 support for windows.
• Use Processes.dll code (can be freely used, source provided) for kill process in windows NSIS installer. Compiled to 6kb (not 50kb). Processes.dll was made by Andrei Ciubotaru.
• show version number in add-removeprograms configpanel (windows).
• install script removes leftover trayicons using direct windows API.
• dnssec-trigger-control uses registry config location (for windows).
• fix dnssec-trigger-control error printout if SSL files fail.
• show package version in probe results dialog.
• updated acx.nlnetlabs.m4 for gcc 4.6 compat for portability tests.
• Do not show the insecure and hotspot windows at the same time.
• Fix for OSX to show the popups on top of the other windows.
• alert icon easier to read.

I just updated my local MacBook Pro and the installation went perfectly fine. (To “update” on Mac OS X, you simply download the latest version and run through the installation process again.)

How will you know if DNSSEC-Trigger is working? Well, one simple test is to try to go to either of the “bad” websites we mention on the DNSSEC Tools page in your web browser: www.dnssec-failed.org or www.rhybar.cz. If DNSSEC-Trigger is working correctly, your web browser will probably tell you that it can’t find either of those sites. DNSSEC-Trigger is determining that the sites do not correctly validate and is therefore not providing any DNS information for those domains.

Anyway, the new 0.10 release of DNSSEC-Trigger is available now for download for Windows, Mac OS X or Linux. Download it now and get started using DNSSEC validation!