[sf-lug] Got DNSSEC? :-) (sf-lug.com now does, will add to sf-lug.org in future)
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Fri Oct 28 00:38:08 PDT 2016
Got DNSSEC? :-) (sf-lug.com now does, will add to sf-lug.org in future)
So ... been pokin' at DNSSEC a bit.
Anyway, sf-lug.com. now has DNSSEC enabled for the domain.
Yes, that's the non-canonical ... sf-lug.org. is canonical.
I wanted to start with the lower risk(/impact) domain.
Some bits of related information / references:
http://dnssec-debugger.verisignlabs.com/sf-lug.com
http://dnsviz.net/d/sf-lug.com/dnssec/
https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
https://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html
TeamNANOG DNSSEC Tutorial: https://www.youtube.com/watch?v=9ksfOUyvNi8
file:/usr/share/doc/bind9-doc/arm/Bv9ARM.html
If you're doing it using BIND, newer versions make it a fair bit easier.
It gets pretty easy with >= 9.9
If you're still using nslookup, it's probably past time to break that
habit, and only use nslookup as a last resort fall-back, as nslookup
knows absolutely nothing about DNSSEC.
So, ... use dig, ... right, ... right?
Uhm, except ... as of BIND 9.10, dig is being effectively
replaced by ... yet another tool ... delv. Which works quite similarly
to dig, but better. And, really best to have delv handy to
test/troubleshoot DNSSEC - it's also especially good at (pre-)testing
DNSSEC - make sure it's all good before going "live" with it.
And ... BIND 9.11 promises to be yet easier to manage DNSSEC.
Screwing up DNSSEC implementation could be quite bad - in "worst case"
one totally knocks the domain (and any subdomains thereof) out of DNS -
at least for any resolvers that are DNSSEC aware. More and more
resolvers are becoming DNSSEC aware, and increasingly configured to use
DNSSEC. And that's not the only place DNSSEC is showing up - e.g. some
browsers are adding built-in DNSSEC checks, for additional security, or
have it available via a plug-in.
Anyway, DNS - critical infrastructure. Likewise DNSSEC - certainly
don't want to break it. But, with reasonable care and attention, works
quite darn well. And yes, "of course", practice first on non-production
recommended.
And ... what does DNSSEC *do*? Mostly it makes it much much harder (if
not "impossible") for DNS to be spoofed, and such. Notably with DNSSEC
signed domain, and DNSSEC enabled resolver, one won't get forged data or
incorrect DNS data due to cache poisoning, etc. Without DNSSEC, such
attacks are relatively easy and doable (though some other mittigating
measures have also been deployed over the years, that at least partly
address some of those issues).
And, ... what's DNS, ... uhm, yeah, that:
https://en.wikipedia.org/wiki/Domain_Name_System
More information about the sf-lug
mailing list