The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.
– Wikipedia entry for DNSSEC.
Implementing DNSSEC itself is fairly easy, there are a lot of good howtos out there. The trick is to make it work with puppet and several dns servers at once. I don’t want any hassle with the DNSSEC part at any time. If I change a dns zone in my puppet manifest, the change has to be made public on the dns servers, which in turn have to handle the signing by themselves. But if you manage the zones with puppet the signed zonefiles will get wiped. So that was the tricky bit.
Plus I host several other domains whose admins want to enjoy DNSSEC without any hassle. With my current implementation of puppet and dns — it works! \o/
DANE enables the administrator of a domain name to certify the keys used in that domain’s TLS servers by storing them in the Domain Name System (DNS). DANE needs DNS records to be signed with DNSSEC.
– Wikipedia on DANE.
DANE was rather easy once DNSSEC was online. As the zones are trusted (by verifying the signatures) the TLSA records are trusted, too. It’s a shame that most browsers do not yet support DANE. Youcan add TLSA/DANE suport by installing and addon.
See for yourself:
Or try it on the console:
$ dig alpha-labs.net +dnssec ; <<>> DiG 9.8.1-P1 <<>> alpha-labs.net +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5529 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;alpha-labs.net. IN A ;; ANSWER SECTION: alpha-labs.net. 2909 IN A 18.104.22.168 alpha-labs.net. 2909 IN RRSIG A 7 2 3600 20140919124512 20140820120232 32345 alpha-labs.net. iAWkmB4LPSG7RvPS [...] PStXE7uXA= ;; Query time: 29 msec ;; SERVER: 22.214.171.124#53(126.96.36.199) ;; WHEN: Wed Aug 20 17:06:46 2014 ;; MSG SIZE rcvd: 617dd
The important bit is the “ad” in the flags section, meaning that your dns resolver was able to verify the answer from my dns server.