DNS Security Extensions (DNSSEC) is used to validate the integrity of DNS responses as authoritative servers provide digital signatures in addition to the standard DNS data.
Using asymmetric key cryptography, each DNSSEC enabled zone will use two keys. The Zone Signing Key (ZSK) is used to sign DNS records within the zone. The Key Signing Keys (KSK) is used to sign the Zone Signing Key. The ZSK is a short-term key and is rolled over frequently while the KSK is a longer-term key and is best practice to roll over once a year.
The Delegation Signer (DS) record is a sample of the KSK and is provided to the parent zone. The parent zone in turn signs the DS record to create a chain of trust.
DNSSEC Configuration
To enable DNSSEC for a zone on the Ecessa appliance, log into the web interface and go to the Authoritative DNS page. Click the Configure link next to the name of the domain.
The DNSSEC setting is located at the top of the domain configuration page. Click the check box to enable DNSSEC and then click the Activate button.
After clicking the Activate button, a text field will display the generated KSK for the zone.
DNSSEC is now enabled for the zone.
When DNSSEC is enabled additional resource records are implemented, such as RRSIG and DNSKEY records. Querying the Ecessa appliance will now return this information:
C:\>dig @172.31.10.105 +multi example.com dnskey
; <<>> DiG 9.9.1-P3 <<>> @172.31.10.105 +multi example.com dnskey
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6488
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com. IN DNSKEY
;; ANSWER SECTION:
example.com. 3600 IN DNSKEY 256 3 7 (
AwEAAbGEB84LjkrTmQ+dKAEknkeoI4wxOh2HvLcNs8DA
hko9BC/RXvBIjuwSe8AfmnMsrLTXZmR6ZlO5V7QyJzu9
84a+STxUfLv2fbJyXHY+Rfuh/DiGIRsSYhR5wDXtVWU1
dkjFIacvEK2gMgEx2sN6HiVUnd616HBKCtirJKyg0679
) ; ZSK; alg = NSEC3RSASHA1; key id = 6494
example.com. 3600 IN DNSKEY 257 3 7 (
AwEAAboGeW4MLjIA4fPHg+lWBFb0zgwNcVshg96dLxJG
Ea6aXOV8stEINDzk+4MfacmWmTH3nNc+y+fScHaQlGd/
IQtvHOmxf1IV6EhkmpkK76+bToz751sQPNQePHq6Jf+p
BSwSWdaW62v/c5jfEdbRKk8aSSnG/6aciVPvd498Wq5e
kEUMLcqpPV43GmPxf6gj6oucuOK86uKp+VITUiCUTtXf
gKkfeO2X5/6dXKIamBcVy3+Ybhy/6Jk1nfo86RBp3Wbx
5624e9IHZaSYYVAVf9mPUEqQab4wmNkIezwXu73QzW7S
WqZd1gx8a+Fy6WETnd6E913shvICWr/qXpHnG5U=
) ; KSK; alg = NSEC3RSASHA1; key id = 44586
;; Query time: 5 msec
;; SERVER: 172.31.10.105#53(172.31.10.105)
;; WHEN: Thu Oct 03 11:08:26 2013
;; MSG SIZE rcvd: 475
C:\>dig @172.31.10.105 wan1.example.com +dnssec +multi
; <<>> DiG 9.9.1-P3 <<>> @172.31.10.105 wan1.example.com +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31873
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;wan1.example.com. IN A
;; ANSWER SECTION:
wan1.example.com. 30 IN A 172.31.10.105
wan1.example.com. 30 IN RRSIG A 7 3 30 (
20131031163702 20131003163702 6494 example.com.
acVNee4P2ehCCWflPi1PA1WZ559frJP1dmvSK7KeSYky
Z4V9GSQ/Wd5sytyPQ22U+UkzsEwfxLCp0qGnT5BezjMt
15pQvH8OIi9/yptxuvSz/bK2NfRd1HJxaitiQ7gOFFm3
CI8OeW/5uqS9FGT8DTOupjYJiypncLPWaCMF7Cg= )
;; AUTHORITY SECTION:
example.com. 900 IN NS ns1.example.com.
example.com. 900 IN RRSIG NS 7 2 900 (
20131031163702 20131003163702 6494 example.com.
la2Z3IWS/0R/tlHDuygTCiNmcIK3YpMvrpT8su3cC6z2
6HJSuOE7MsszlzNHjaHd9xfAQj+KIVN7aglCuS80JKtw
snrN4ZShQ/k8N4J6EUagz/3lrDDC7dZz9Qcu7cuuVfpY
mCSo3+6NL2v7PnuAe7xV42+JERHSUD7GUAJe2nc= )
;; ADDITIONAL SECTION:
ns1.example.com. 900 IN A 172.31.10.105
ns1.example.com. 900 IN RRSIG A 7 3 900 (
20131031163702 20131003163702 6494 example.com.
S5+zttPRYcqrP8YK4BN9dHtj09LVDTGGROJsw0OtX6er
cacs0D/Gt9Rz9vjMQgWeFLfFBxcj1iGYmqA3tdxj8eEl
Is398OgUX5abZWMnmvdrBNEmrbjk4chpCFewAB090ChG
x5JLbRehiPBx4TfoXm4jz+nSV2KRql1uEii7oyk= )
;; Query time: 6 msec
;; SERVER: 172.31.10.105#53(172.31.10.105)
;; WHEN: Thu Oct 03 11:48:06 2013
;; MSG SIZE rcvd: 624
0 Comments