DNSSEC

DNSSECShort: We now have a fully working DNSSEC infrastructure, complete with DANE!

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

– Wikipedia entry for DNSSEC.

Implementing DNSSEC itself is fairly easy, there are a lot of good howtos out there. The trick is to make it work with puppet and several dns servers at once. I don’t want any hassle with the DNSSEC part at any time. If I change a dns zone in my puppet manifest, the change has to be made public on the dns servers, which in turn have to handle the signing by themselves. But if you manage the zones with puppet the signed zonefiles will get wiped. So that was the tricky bit.

Plus I host several other domains whose admins want to enjoy DNSSEC without any hassle. With my current implementation of puppet and dns — it works! \o/

DANE enables the administrator of a domain name to certify the keys used in that domain’s TLS servers by storing them in the Domain Name System (DNS). DANE needs DNS records to be signed with DNSSEC.

– Wikipedia on DANE.

DANE was rather easy once DNSSEC was online. As the zones are trusted (by verifying the signatures) the TLSA records are trusted, too. It’s a shame that most browsers do not yet support DANE. Youcan add TLSA/DANE suport by installing and addon.

 

See for yourself:

Or try it on the console:

$ dig alpha-labs.net +dnssec

; <<>> DiG 9.8.1-P1 <<>> alpha-labs.net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5529
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;alpha-labs.net. IN A

;; ANSWER SECTION:
alpha-labs.net. 2909 IN A 46.229.47.146
alpha-labs.net. 2909 IN RRSIG A 7 2 3600 20140919124512 20140820120232 32345 alpha-labs.net. iAWkmB4LPSG7RvPS [...] PStXE7uXA=

;; Query time: 29 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Wed Aug 20 17:06:46 2014
;; MSG SIZE rcvd: 617dd

The important bit is the “ad” in the flags section, meaning that your dns resolver was able to verify the answer from my dns server.

Christian

Touched base with Linux back in 1995, got hooked up on it ever since. I am using Linux for both private and office for two decades. Working as a System Administrator at a medium sized hosting company I get in touch with all kinds of trouble. All of which can be solved with Linux. In my blog I am sharing solutions to problems that I had to search for myself in hope that someone else out there might find them useful.