Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins -
The Compulsory The Certain Time NTP The Uncertain Entropy havenged
Zone Distribution TSIG Signing the path between Master and Slave Using a shared secret means there is confidence on the receiving side that the data came from the sender and was not altered in transit Pass-phrases need to be renewed - once a year Out of Band Key Management
Which DNSSEC Protocol? NSEC - Original method Everything is signed Light Weight No privacy Walk the Zone NSEC3 - Designed for ccTLD's Can not Walk the Zone Opt-Out – only core secure delegations signed Reduces the increase in signed zone size NSEC3 Options Opt-out Seeding Hash cycles
Keys – and management Asymmetrical keys – One part Secret, One part Public KSK - Key Signing keys Used to sign ZSK's Longish live cycle – default is one year Potentially difficult to roll Generate with RSASHAR256 with 2048 bits Hash present in Parent (DS Record) ZSK - Zone Signing keys Used to sign the data in a zone Shortish life cycle - default is one month Simple to Roll Generate with RSASHAR256 with 1024 bits
Keys – and management Hardware Security Module - HSM Multiple, redundant, tamper proof devices "Soft" HSM (incorporating with BIND is difficult) On the File system Stripped down server Limited access (no direct Internet access)
Managing the Children Need to Populate parent with DS Records Out of Band Paper Secure Web Site Via EPP extension Via “in-band” methods What do you record? KSK/DS Emergency “Roll-over”
Using DNSSEC Making a Resolver “DNSSEC” aware RFC5011 Howto: & Scripts available at: “DNSSEC Validator” and get the Green-Key
Ready to run DNSSEC Need: NTP Havenged Use TSIG For Zone distribution NSEC3 ? NSEC Opt In/Out Seed Hash Signing Done KSK 1 year ZSK 1 month