DNSSEC

Origin authentication of DNS data

Recently discovered vulnerabilities in the original DNS specifications from the early 1980s have significantly reduced the time it takes an attacker to hijack the DNS lookup process and thereby take over control of a session to, for example, direct users to their own deceptive Web sites for account and password collection. The only long-term solution to this vulnerability is the end-to-end-deployment of a security protocol called DNS Security Extensions – or DNSSEC.

Conexim DNS fully supports DNSSEC for providing origin authentication of DNS data. The purpose of DNSSEC is to provide certainty that DNS responses are from the intended source.

In order to use DNSSEC, it’s imperative that the following are in place:

  1. The registry operating the TLD (Top Level Domain) is DNSSEC signed and supports DS (Delegation Signer) records. An up to date list is available from http://stats.research.icann.org/dns/tld_report/. The Australian .au namespace currently DOES NOT support DNSSEC, however a large number including .net, .com, .net and .nz do.
  2. The registry supports configuring of DS (Delegation Signer) records. In some cases, it’s necessary to submit requests to your registrar manually to apply DS records.
  3. The DNS Zone has DNSSEC enabled and the generated DS records match those configured at the registry.

While DNSSEC offers a multitude of options for DNSSEC key management, Conexim DNS makes DNSSEC straightforward to enable and maintain while still allowing advanced users to manage keys to their preferences.

Enabling DNSSEC for a DNS Zone

After confirming that the domain name can be DNSSEC enabled, simply enable DNSSEC for the zone within Conexim DNS. Two modes of operation are available:

  • NSEC3: Recommended. Avoids zone enumeration by returning next valid NS records on an unsuccessful DNS query.
  • NSEC: Offered for backward compatibility only. This method is part of the original DNSSEC specification and while useful for authenticating originating DNS data; it is vulnerable to exposing more information than is necessary about a zone.
DNSSEC

DNSSEC

DNSSEC KSK and ZSK Keys

Once DNSSEC has been enabled, two types of keys are generated:

KSK (Key Signing Key): Used longer term, these keys are used for signing ZSKs. Current best practice is that these keys are rotated yearly.

ZSK (Zone Signing Key): Used shorter term, these keys are used for signing DNS zone data and should be rolled over much more frequently.

For both DNSSEC KSK and ZSK, Conexim DNS supports the following algorithms at 1024 or 2048 bit.

  • RSA/SHA1
  • RSA/SHA256 (default)
  • RSA/SHA512
  • ECC-GHOST

DS (Delegation Signer) Records

Delegation signer records are records signed by the KSK and are stored with the parent zone (e.g. .com) by the registry. If you wish to use a new ZSK, it’s important that you generate new DS records and assign these to the zone with the registrar.

DS Records

DS Records

Verifying DNSSEC Records

In order to ensure your DNSSEC records have been configured correctly, it’s recommended that you use a tool to validate the correct set up of the zones. Two such tools include: