Now that my web server is up and running and my websites are stable. Time to look at locking down the server.
Why should I enable and configure DNSSEC
One of the lower risk vulnerabilities is DNS spoofing. I classify it as a low risk because we don’t collect any user information. If I was running a banking business, where a man in the middle attack would expose financial accounts, I would give it a higher risk vulnerability.
Nonetheless, I will enable it as it would be annoying and could cause trouble calls that would take time to troubleshoot.
Caution before you proceed
Problems on initial install
I have heard of many more DNS administrators shooting themselves in the foot then were saved by enabling it. Your DNS Registrar needs to support it and do it well and be responsive. You also need to understand the process of creating keys on your DNS server. You will then use these keys at your registrars DNS Console to enable. If you mess it up, your DNS lookups to your sites will fail.
Problems down the road
The other area of troubles you can have with DNSSEC if down the road. I don’t change DNS servers that frequently. Whenever you decide the relocate your DNS server to a different host and IP address, you need to update your DNSSEC configuration. But, let’s say it’s been 5 years since you last did this and you forget to disable DNSSEC before you start. Or someone else is doing it, and they don’t realize it is enabled. To the DNS world, your new DNS server is rouge and won’t be used, as the keys don’t match. While it typically doesn’t take long, it could take up to 72 hours for DNS changes to propagate through the network. So plan ahead and document your work.
First Steps – research
Before you begin you need the following
- You need to know what DNS server software you are using; i.e. bind, PowerDNS. To troubleshoot, you need to confirm that logging is enabled and where the log files are. Don’t assume that logging is enabled. Before you get started, check the logs and clear up any error messages.
- You need to edit the DNS tables. Will you be manually revising the files or using a zone editor or DNS manager. I suggest you use a zone manager to edit the files. Every Zone editor will have instructions on how to create keys and configure DNSSEC. Find them and read them.
- The other half of DNSSEC is with your registrar. You will need to supply the key you generate on your DNS manager, to your register. Every registrar will have procedures on how to do it. You need to find them and read them. They may have requirements that could effect how you configure your DNS and how you generate your keys.
Using PowerDNS
I choose to use PowerDNS (pdns) over Bind. Mainly due to memory considerations. In addition, I don’t have that many advanced DNS needs.
See my PowerDNS Post for more information
Troubleshooting DNSSEC
One of the best troubleshooting tools is a DNSSEC Analyzer provided by Verisign LABS. It also has some advanced options on this page for verifying a DS record.
For a listing of Secured domains on your DNS Server use the following command:
pdnsutil list-secure-zones
Enabling DNSSEC on a domain
It is a two step process. The first step is to generate keys and update the DNS configuration. For this I am using cPanel. For details instructions visit cPanel’s Domain Documentation for the Zone Editor. Summary notes below:
- On your host, use the cPanel Zone Editor, select a domain, enable DNSSec and create a key. If you use Godaddy make these customizations to the key creation:
- Use the Simple Key (CSK), instead of the KSK and ZSK
- Select Algorithm 13
- Configure a DS record with your domain registrar
- For Godaddy DS records, the Algorithm and Key Data Algorithm fields are the same
- Verify the configuration with the Verisign DNSSEC Analyzer
I won’t put much detail here on the three steps as it would just be a matter of cutting and pasting from the cPanel link above.