Follow

How do I enable DNSSEC for a domain hosted on the Ecessa appliance?

DNS Security Extensions (DNSSEC) is used to validate the integrity of DNS responses as authoritative servers provide digital signatures in addition to the standard DNS data.  

Using asymmetric key cryptography, each DNSSEC enabled zone will use two keys. The Zone Signing Key (ZSK) is used to sign DNS records within the zone. The Key Signing Keys (KSK) is used to sign the Zone Signing Key. The ZSK is a short-term key and is rolled over frequently while the KSK is a longer-term key and is best practice to roll over once a year.

The Delegation Signer (DS) record is a sample of the KSK and is provided to the parent zone. The parent zone in turn signs the DS record to create a chain of trust.

DNSSEC Configuration

To enable DNSSEC for a zone on the Ecessa appliance, log into the web interface and go to the Authoritative DNS page. Click the Configure link next to the name of the domain.

 auth_dns_main_page.png

The DNSSEC setting is located at the top of the domain configuration page. Click the check box to enable DNSSEC and then click the Activate button.

DNSSEC_setting.png

After clicking the Activate button, a text field will display the generated KSK for the zone.

DNSSEC_enabled.png

DNSSEC is now enabled for the zone.

When DNSSEC is enabled additional resource records are implemented, such as RRSIG and DNSKEY records. Querying the Ecessa appliance will now return this information:

C:\>dig @172.31.10.105 +multi example.com dnskey

 

; <<>> DiG 9.9.1-P3 <<>> @172.31.10.105 +multi example.com dnskey

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6488

;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; WARNING: recursion requested but not available

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;example.com.           IN DNSKEY

 

;; ANSWER SECTION:

example.com.            3600 IN DNSKEY 256 3 7 (

                                AwEAAbGEB84LjkrTmQ+dKAEknkeoI4wxOh2HvLcNs8DA

                                hko9BC/RXvBIjuwSe8AfmnMsrLTXZmR6ZlO5V7QyJzu9

                                84a+STxUfLv2fbJyXHY+Rfuh/DiGIRsSYhR5wDXtVWU1

                                dkjFIacvEK2gMgEx2sN6HiVUnd616HBKCtirJKyg0679

                                ) ; ZSK; alg = NSEC3RSASHA1; key id = 6494

example.com.            3600 IN DNSKEY 257 3 7 (

                                AwEAAboGeW4MLjIA4fPHg+lWBFb0zgwNcVshg96dLxJG

                                Ea6aXOV8stEINDzk+4MfacmWmTH3nNc+y+fScHaQlGd/

                                IQtvHOmxf1IV6EhkmpkK76+bToz751sQPNQePHq6Jf+p

                                BSwSWdaW62v/c5jfEdbRKk8aSSnG/6aciVPvd498Wq5e

                                kEUMLcqpPV43GmPxf6gj6oucuOK86uKp+VITUiCUTtXf

                                gKkfeO2X5/6dXKIamBcVy3+Ybhy/6Jk1nfo86RBp3Wbx

                                5624e9IHZaSYYVAVf9mPUEqQab4wmNkIezwXu73QzW7S

                                WqZd1gx8a+Fy6WETnd6E913shvICWr/qXpHnG5U=

                                ) ; KSK; alg = NSEC3RSASHA1; key id = 44586

 

;; Query time: 5 msec

;; SERVER: 172.31.10.105#53(172.31.10.105)

;; WHEN: Thu Oct 03 11:08:26 2013

;; MSG SIZE  rcvd: 475

 

C:\>dig @172.31.10.105 wan1.example.com +dnssec +multi

 

; <<>> DiG 9.9.1-P3 <<>> @172.31.10.105 wan1.example.com +dnssec +multi

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31873

;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; WARNING: recursion requested but not available

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 4096

;; QUESTION SECTION:

;wan1.example.com.      IN A

 

;; ANSWER SECTION:

wan1.example.com.       30 IN A 172.31.10.105

wan1.example.com.       30 IN RRSIG A 7 3 30 (

                                20131031163702 20131003163702 6494 example.com.

                                acVNee4P2ehCCWflPi1PA1WZ559frJP1dmvSK7KeSYky

                                Z4V9GSQ/Wd5sytyPQ22U+UkzsEwfxLCp0qGnT5BezjMt

                                15pQvH8OIi9/yptxuvSz/bK2NfRd1HJxaitiQ7gOFFm3

                                CI8OeW/5uqS9FGT8DTOupjYJiypncLPWaCMF7Cg= )

 

;; AUTHORITY SECTION:

example.com.            900 IN NS ns1.example.com.

example.com.            900 IN RRSIG NS 7 2 900 (

                                20131031163702 20131003163702 6494 example.com.

                                la2Z3IWS/0R/tlHDuygTCiNmcIK3YpMvrpT8su3cC6z2

                                6HJSuOE7MsszlzNHjaHd9xfAQj+KIVN7aglCuS80JKtw

                                snrN4ZShQ/k8N4J6EUagz/3lrDDC7dZz9Qcu7cuuVfpY

                                mCSo3+6NL2v7PnuAe7xV42+JERHSUD7GUAJe2nc= )

 

;; ADDITIONAL SECTION:

ns1.example.com.        900 IN A 172.31.10.105

ns1.example.com.        900 IN RRSIG A 7 3 900 (

                                20131031163702 20131003163702 6494 example.com.

                                S5+zttPRYcqrP8YK4BN9dHtj09LVDTGGROJsw0OtX6er

                                cacs0D/Gt9Rz9vjMQgWeFLfFBxcj1iGYmqA3tdxj8eEl

                                Is398OgUX5abZWMnmvdrBNEmrbjk4chpCFewAB090ChG

                                x5JLbRehiPBx4TfoXm4jz+nSV2KRql1uEii7oyk= )

 

;; Query time: 6 msec

;; SERVER: 172.31.10.105#53(172.31.10.105)

;; WHEN: Thu Oct 03 11:48:06 2013

;; MSG SIZE  rcvd: 624

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.