Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins -

The Compulsory The Certain  Time NTP The Uncertain  Entropy havenged

Zone Distribution TSIG  Signing the path between Master and Slave Using a shared secret means there is confidence on the receiving side that the data came from the sender and was not altered in transit Pass-phrases need to be renewed - once a year Out of Band Key Management

Which DNSSEC Protocol? NSEC - Original method  Everything is signed  Light Weight  No privacy Walk the Zone NSEC3 - Designed for ccTLD's  Can not Walk the Zone  Opt-Out – only core secure delegations signed Reduces the increase in signed zone size  NSEC3 Options Opt-out Seeding Hash cycles

Keys – and management Asymmetrical keys – One part Secret, One part Public KSK - Key Signing keys  Used to sign ZSK's  Longish live cycle – default is one year  Potentially difficult to roll  Generate with RSASHAR256 with 2048 bits  Hash present in Parent (DS Record) ZSK - Zone Signing keys  Used to sign the data in a zone  Shortish life cycle - default is one month  Simple to Roll  Generate with RSASHAR256 with 1024 bits

Keys – and management Hardware Security Module - HSM  Multiple, redundant, tamper proof devices "Soft" HSM (incorporating with BIND is difficult) On the File system  Stripped down server  Limited access (no direct Internet access)

Managing the Children Need to Populate parent with DS Records  Out of Band Paper Secure Web Site Via EPP extension Via “in-band” methods What do you record? KSK/DS Emergency “Roll-over”

Using DNSSEC Making a Resolver “DNSSEC” aware  RFC5011  Howto: & Scripts available at: “DNSSEC Validator” and get the Green-Key

Ready to run DNSSEC Need: NTP Havenged Use TSIG For Zone distribution NSEC3 ? NSEC Opt In/Out Seed Hash Signing Done KSK 1 year ZSK 1 month