Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - DNSSEC Tips InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!


Published: 2011-06-28
Last Updated: 2011-06-28 16:05:31 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

We have covered DNSSEC before. But over the last few month, DNSSEC deployments have increased and yesterday's DNS poisoning diary by Manuel shows that attacks against unsecured zones certainly happen.

I wanted to put together a couple of tips to avoid common errors:

  • Patch your DNS server. Make sure you are running a recent version that supports current encryption algorithms. In particular, look for NSEC3 support.
  • Review your overall DNS configuration. Clean it up first before implementing DNSSEC.
  • Does your registrar have a facility to upload DS records?
  • If you are using DNSSEC on a resolver, make sure the root zone's key is kept up to date. Recent versions of BIND support RFC 5011 and can manage key updates for you.
  • Remember to regularly re-sign the zones. Signatures are typically valid for a month.
  • make sure your DNS server supports EDNS0 (should not be a problem)
  • make sure your firewall isn't blocking UDP DNS replies that are larger then 512 Bytes
  • pick an algorithm that supports NSEC3 (RSASHA1-NSEC3-SHA1, which is #7, is my preferred one as it appears to be well supported compared to other NSEC3 algorithms)
  • Test
  • Test
  • Test
  • only deposit DS records with your parent zone after you completed the prior three steps

Anything I forgot? Please add a comment...

Couple URLs to use as a reference: - Really nice visualization tool. - thorough test of DNSSEC settings - links to standards and tools - Firefox extension to validate DNSSEC - DNSSEC Algorithm Numbers - secure BIND template. Apply this first. - Securing Microsoft DNS

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: bind dns dnssec
1 comment(s)
Diary Archives