Implementing DNSSEC

Foreplay

DNS is on of the most basic and needed database structures on the planet. Its’ hierarchical, and goes from top to bottom.
If you have no clue on how DNS works, you should check out this fine tutorial over at webhostinggeeks.com. Once you did that, come back here and we talk security. But seriously, read that. Now.

The issue

Like I said (and you read, if you haven’t: shame on you!) DNS is hierarchical, top-to-bottom approach. And spoofing or tampering can happen in any level, even at the bottom (dns server hijacking).

Enter DNS-SEC.

(more…)

DNSSEC

DNSSECShort: We now have a fully working DNSSEC infrastructure, complete with DANE!

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

– Wikipedia entry for DNSSEC.

Implementing DNSSEC itself is fairly easy, there are a lot of good howtos out there. The trick is to make it work with puppet and several dns servers at once. I don’t want any hassle with the DNSSEC part at any time. If I change a dns zone in my puppet manifest, the change has to be made public on the dns servers, which in turn have to handle the signing by themselves. But if you manage the zones with puppet the signed zonefiles will get wiped. So that was the tricky bit.

Plus I host several other domains whose admins want to enjoy DNSSEC without any hassle. With my current implementation of puppet and dns — it works! \o/

DANE enables the administrator of a domain name to certify the keys used in that domain’s TLS servers by storing them in the Domain Name System (DNS). DANE needs DNS records to be signed with DNSSEC.

– Wikipedia on DANE.

DANE was rather easy once DNSSEC was online. As the zones are trusted (by verifying the signatures) the TLSA records are trusted, too. It’s a shame that most browsers do not yet support DANE. Youcan add TLSA/DANE suport by installing and addon.

 

See for yourself:

(more…)