[sf-lug] Got DNSSEC? :-) (sf-lug.org also now does)
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Tue Nov 1 06:02:35 PDT 2016
And likewise, now sf-lug.org. also has DNSSEC.
Did also a bit earlier notice one missing AAAA glue record,
and passed that information along for correction.
> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
> Subject: Got DNSSEC? :-) (sf-lug.com now does, will add to
> sf-lug.org in future)
> Date: Fri, 28 Oct 2016 00:38:08 -0700
> Got DNSSEC? :-) (sf-lug.com now does, will add to sf-lug.org in future)
>
> So ... been pokin' at DNSSEC a bit.
>
> Anyway, sf-lug.com. now has DNSSEC enabled for the domain.
> Yes, that's the non-canonical ... sf-lug.org. is canonical.
> I wanted to start with the lower risk(/impact) domain.
>
> Some bits of related information / references:
> http://dnssec-debugger.verisignlabs.com/sf-lug.com
> http://dnsviz.net/d/sf-lug.com/dnssec/
> https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
> https://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html
> TeamNANOG DNSSEC Tutorial: https://www.youtube.com/watch?v=9ksfOUyvNi8
> file:/usr/share/doc/bind9-doc/arm/Bv9ARM.html
>
> If you're doing it using BIND, newer versions make it a fair bit easier.
> It gets pretty easy with >= 9.9
> If you're still using nslookup, it's probably past time to break that
> habit, and only use nslookup as a last resort fall-back, as nslookup
> knows absolutely nothing about DNSSEC.
> So, ... use dig, ... right, ... right?
> Uhm, except ... as of BIND 9.10, dig is being effectively
> replaced by ... yet another tool ... delv. Which works quite similarly
> to dig, but better. And, really best to have delv handy to
> test/troubleshoot DNSSEC - it's also especially good at (pre-)testing
> DNSSEC - make sure it's all good before going "live" with it.
> And ... BIND 9.11 promises to be yet easier to manage DNSSEC.
>
> Screwing up DNSSEC implementation could be quite bad - in "worst case"
> one totally knocks the domain (and any subdomains thereof) out of DNS -
> at least for any resolvers that are DNSSEC aware. More and more
> resolvers are becoming DNSSEC aware, and increasingly configured to use
> DNSSEC. And that's not the only place DNSSEC is showing up - e.g. some
> browsers are adding built-in DNSSEC checks, for additional security, or
> have it available via a plug-in.
>
> Anyway, DNS - critical infrastructure. Likewise DNSSEC - certainly
> don't want to break it. But, with reasonable care and attention, works
> quite darn well. And yes, "of course", practice first on non-production
> recommended.
>
> And ... what does DNSSEC *do*? Mostly it makes it much much harder (if
> not "impossible") for DNS to be spoofed, and such. Notably with DNSSEC
> signed domain, and DNSSEC enabled resolver, one won't get forged data or
> incorrect DNS data due to cache poisoning, etc. Without DNSSEC, such
> attacks are relatively easy and doable (though some other mittigating
> measures have also been deployed over the years, that at least partly
> address some of those issues).
>
> And, ... what's DNS, ... uhm, yeah, that:
> https://en.wikipedia.org/wiki/Domain_Name_System
More information about the sf-lug
mailing list