DNSSEC in Simple DNS Plus v. 5.2

Sunday, 25 January 2009

The upcoming Simple DNS Plus v. 5.2 supports hosting DNSSEC signed zones and has built-in functions for managing DNSSEC keys and for signing zones - all in a user friendly GUI of course.

What is DNSSEC?

Similar to digital signatures for e-mails, DNSSEC authenticates that a set of DNS records originate from an authorized sender (DNS server) using private/public key cryptography.
The main purpose of this is to protect DNS against falsified information (a.k.a. DNS spoofing).
DNSSEC does NOT encrypt or hide anything - all data is still in "clear text". Its only purpose is verification of data authenticity.
Learn more at http://www.dnssec.net/

Why now?

DNSSEC has been under way for more than a decade, and has been the subject of many changes and much controversy over the years. We have resisted implementing it in Simple DNS Plus until now for a number of reasons, but decided that it is finally time because:
1) Increased user demand - no doubt due to the Kaminsky bug with media coverage pointing mainly to DNSSEC as the long term solution.
2) DNSSEC protocol standards are finally in place and appear stable (RFC4033/4/5 and 5155).
3) The U.S. government recently mandated that all federal agencies must implement DNSSEC by the end of 2009 (OMB Memo 08-23).
4) Several countries have DNSSEC signed their TLDs including Brazil (.br), Bulgaria (.bg), Czech Republic (.cz), Puerto Rico (.pr) and Sweden (.se). World DNSSEC deployment map
5) Efforts to "sign the root" seem to be gaining some momentum.
6) Microsoft has announced that "Windows 7" will support DNSSEC, meaning that DNSSEC will be broadly available on client systems in a not so distant future.

Can DNSSEC be used today?

A significant obstacle for DNSSEC is that the Internet DNS root is not signed yet. This is stuck in international politics (has been for years), because this is ultimately about who gets to hold the "master key" to the entire Internet.
Until this happens, clients need to maintain a list of "trust anchors" for domains they want to verify.
But yes, DNSSEC can be used today within organizations (local "trust anchors") and for domains under the signed country TLDs mentioned above.
Practical uses are however still few because of limited client software support. Of course "Windows 7" may change this.

Who issues DNSSEC "certificates"?

You do!
While based on the same cryptography standards as SSL and e-mail signatures (RSA / DSA / SHA1), there is no 3rd party certification authorities involved with DNSSEC.
A new function in Simple DNS Plus v. 5.2 lets you create your own private/public key sets and sign your zones with these.
In order to establish a "link of trust" so that other Internet users can verify your keys and signatures, you create a delegation signature record (DS) which needs to be included and "counter signed" in the parent zone. For example if your domain name is "example.se", this DS-record needs to be added to the ".se" zone. The exact procedure for "uploading" this DS-record depends on your parent zone / TLD operator, and/or your domain name registrar.

What will DNSSEC look like in my DNS zones?

DNSSEC signing a zone adds the following records to the zone (may increase zone size by 4-5 times):
- DNSKEY-records: public keys.
- RRSIG-records: record set signatures.
- NSEC/NSEC3/NSEC3PARAM-records: denial-of-existence "fillers" for non-existing record names/types.
- DS-records: delegation signatures for secure sub-delegations.

Availability

The new DNSSEC functionality is part of the upcoming Simple DNS Plus v. 5.2.
For more information about Simple DNS Plus v. 5.2 and to download the current beta version, click here.

See also

- How to DNSSEC sign a zone with Simple DNS Plus
- Managing DNSSEC keys with Simple DNS Plus
- Check DNSSEC Signatures tool

 
 
 
Connect