DNSSEC

Ifeanyi Ukadike · July 4, 2023

dns

This post builds upon the previous post on DNS infrastructure.

DNSSEC (Domain Name System Security Extensions) adds a layer of protection to DNS by using digital signatures. It helps to ensure that the information received when making DNS queries is genuine.

In simple terms, DNSSEC helps mitigate MITM attacks.


Set Up the ukadike2023.edu Server

Generate keys for the ukadike2023.edu server

Two pairs of keys are generated; with each key consisting of a public key and a private key.

  • create a folder called keys mkdir /etc/bind/keys and generate the DNS Keys in this directory

  • Zone Signing Key (ZSK) used to sign the zone records dnssec-keygen -a RSASHA256 -b 1024 ukadike2023.edu.

  • Key Signing Key (KSK) used to sign the ZSK. dnssec-keygen -a RSASHA256 -b 2048 -f KSK ukadike2023.edu.

Sign the ukadike2023.edu domain’s zone file

  • navigate to /etc/bind/zones and sign the zone file
  • dnssec-signzone -e 20501231000000 -K ../keys/ -S -o ukadike2023.edu. ukadike2023.edu

  • edit /etc/bind/named.conf.zones

    zone "ukadike2023.edu." {
  type master;
  file "/etc/bind/zones/ukadike2023.edu.signed";
};
  • restart the nameserver service service named restart or reload the configuration file using rnsc reconfig

Testing the configuration

$ dig @10.162.0.73 ukadike2023.edu DNSKEY +dnssec

01

The “IN DNSKEY” record is a response that contains the KSK and RSK for the ukadike2023.edu domain that was generated and used to sign the zone file.

The “IN RRSIG” record is a response that contains the individual signatures for the requested resource

$ dig @10.162.0.73 ukadike2023.edu NS +dnssec

02

The answer section provides the nameserver for ukadike2023.edu plus the signature for the record

The additional section provides the IP address for the nameserver provided in the answer section plus the signature for the record

$ dig @10.162.0.73 www.ukadike2023.edu A +dnssec

03

The answer section provides the IP address for ukadike2023.edu plus the signature for the record


Set Up the edu Server

Generate keys for the edu server

Just like was done on the ukadike2023.edu nameserver, two pairs of keys will be generated on the edu TLD nameserver

  • create a folder called keys mkdir /etc/bind/keys and generate the DNS Keys in this directory

  • Zone Signing Key (ZSK) used to sign the zone records dnssec-keygen -a RSASHA256 -b 1024 edu.

  • Key Signing Key (KSK) used to sign the ZSK. dnssec-keygen -a RSASHA256 -b 2048 -f KSK edu.

Sign the edu domain’s zone file

However, before signing the zone file, we need to add an entry to it. The entry is the DS record that was created on the ukadike2023.edu nameserver when we signed the zone file. A DS (Delegation Signer) record holds the name of a delegated zone and references a DNSKEY record in the sub-delegated zone.

  • create a new folder called dssets mkdir /etc/bind/dssets
  • copy the DS record created on ukadike2023.edu server to /etc/bind/dssets/dsset-ukadike2023.edu on the edu TLD server
  • navigate to /etc/bind/zones, edit the zone file, and add the following:
    • $INCLUDE ../dssets/dsset-ukadike2023.edu
  • navigate to /etc/bind/zones and sign the zone file
    • dnssec-signzone -e 20501231000000 -K ../keys/ -S -o edu. edu

  • edit /etc/bind/named.conf.zones

    zone "edu." {
  type master;
  file "/etc/bind/zones/edu.signed";
};
  • restart the nameserver service service named restart or reload the configuration file using rnsc reconfig

Testing the configuration

$ dig @10.152.0.71 edu DNSKEY +dnssec

04

The “IN DNSKEY” record is a response that contains the KSK and RSK for the edu domain that were generated and used to sign the zone file.

The “IN RRSIG” record is a response that contains the individual signatures for the requested DNSKEY resource

$ dig @10.152.0.71 edu NS +dnssec

05

The answer section provides the nameserver for edu plus the signature for the NS record

The additional section provides the IP address for the nameserver provided in the answer section plus the signature for the A record

$ dig @10.152.0.71 ukadike2023.edu +dnssec

06

The “IN NS” record is a response that contains the authoritative nameserver for ukadike2023.edu plus the signature for the NS record

The “IN DS” record is a response that contains the Delegation Signer record that was created when the ukadike2023.edu zone file was signed

The “IN RRSIG” is a response that contains the signature for the DS record


Set Up the root Server

Generate keys for the root server

Just like was done on the edu TLD nameserver, two pairs of keys will be generated on the root nameserver

  • create a folder called keys mkdir /etc/bind/keys and generate the DNS Keys in this directory

  • Zone Signing Key (ZSK) used to sign the zone records dnssec-keygen -a RSASHA256 -b 1024 .

  • Key Signing Key (KSK) used to sign the ZSK. dnssec-keygen -a RSASHA256 -b 2048 -f KSK .

Sign the root zone file

However, before signing the zone file, we need to add an entry to it. The entry is the DS record that was created on the edu nameserver when we signed the zone file.

  • create a new folder called dssets mkdir /etc/bind/dssets
  • copy the DS record created on the edu server to /etc/bind/dssets/dsset-edu on the root server
  • navigate to /etc/bind/zones, edit the zone file, and add the following: - $INCLUDE ../dssets/dsset-edu
  • navigate to /etc/bind/zones and sign the zone file
    • dnssec-signzone -e 20501231000000 -K ../keys/ -S -o . root

  • edit /etc/bind/named.conf.zones

    zone "edu." {
  type master;
  file "/etc/bind/zones/root.signed";
};
  • restart the nameserver service service named restart or reload the configuration file using rnsc reconfig

Testing the configuration

$ dig @10.150.0.72 . DNSKEY +dnssec

07

The answer section provides the KSK and RSK for the root server that were generated and used to sign the zone file, plus the signatures of the KSK and RSK records.

$ dig @10.150.0.72 . NS +dnssec

08

The answer section provides the nameserver for the root server plus the signature for the NS record

$ dig @10.150.0.72 edu +dnssec

09

The authority section contains the nameserver for the edu TLD, the Delegation Signer record that was created when the edu zone file was signed, plus the signature of the DS record

$ dig @10.150.0.72 ukadike2023.edu +dnssec

10

The authority section contains the nameserver for the edu TLD, the Delegation Signer record that was created when the edu zone file was signed, plus the signature of the DS record. The result is the same as the above because the root server does not have information about ukadike2023.edu and must contact the edu TLD.


Set Up the Local DNS Server

Since the root server does not have a parent zone, the root servers’ public keys are the root of trust. Trust anchors are the way DNS resolvers obtain the root servers’ keys in a secure way.

  • BIND 9 built-in DNSSEC trust anchors can be overridden by the content inside /etc/bind/bind.keys. In this lab, we will put the root server’s KSK public key into this file.

    trust-anchors {
  . static-key 257 3 8 " <root nameserver KSK> ";
};

  • Next enable DNSSEC validation in named.conf.options

    dnssec-validation auto;

  • restart the nameserver service service named restart or reload the configuration file using rnsc reconfig

Testing the configuration

$ dig www.ukadike2023.edu +dnssec

11

The answer section contains the authoritative answer to the request made plus the signature of the A Record received.

Testing a fake response

$ dig www.ukadike2023.edu

12

when the record is forged (meaning the resolver cannot verify the signature associated with the record), the resolver reports a server failure.


Thanks for reading…

Twitter, Facebook