DNSSEC
Chapter 77: DNSSEC Configuration
Section titled “Chapter 77: DNSSEC Configuration”Overview
Section titled “Overview”DNSSEC (Domain Name System Security Extensions) adds cryptographic authentication to DNS responses, protecting against DNS spoofing and man-in-the-middle attacks. This chapter covers DNSSEC concepts, key management, BIND configuration, and troubleshooting. Understanding DNSSEC is increasingly important as DNS-based attacks become more sophisticated, and many organizations are now requiring DNSSEC for their domains.
Why This Matters in DevOps/SRE
Section titled “Why This Matters in DevOps/SRE”DNSSEC protects users from DNS spoofing attacks where attackers redirect traffic to malicious servers. As DNS-based attacks increase, enabling DNSSEC becomes essential. As a DevOps/SRE, you’ll configure DNSSEC signing, manage keys, and ensure proper chain of trust.
┌─────────────────────────────────────────────────────────────────────────────┐│ DNSSEC IN SECURITY OPERATIONS │├─────────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ ATTACK VECTORS DNSSEC PREVENTS │ ││ │ │ ││ │ • DNS Cache Poisoning │ ││ │ Attackers inject fake DNS records into resolver cache │ ││ │ │ ││ │ • Man-in-the-Middle │ ││ │ Redirect users to fake websites │ ││ │ │ ││ │ • Pharming │ ││ │ DNS hijacking to malicious IPs │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ DNSSEC CHAIN OF TRUST │ ││ │ │ ││ │ Root (.) → TLD (.com) → Domain (example.com) → Records │ ││ │ │ ││ │ Each level signs the one below it │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ DEV OPS TASKS │ ││ │ │ ││ │ • Enable DNSSEC signing on authoritative nameservers │ ││ │ • Upload DS records to registrar │ ││ │ • Monitor key rollovers │ ││ │ • Validate DNSSEC on resolver servers │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────────┘Real-world DevOps scenarios:
- Key rollover: Scheduled DNSSEC key rotation without downtime
- DS record management: Coordinating with registrar for chain of trust
- Validation: Enabling DNSSEC validation on internal resolvers
77.1 DNSSEC Overview
Section titled “77.1 DNSSEC Overview”DNSSEC Flow
Section titled “DNSSEC Flow”┌─────────────────────────────────────────────────────────────────────────┐│ DNSSEC FLOW │├─────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ DNSSEC VALIDATION FLOW │ ││ ├─────────────────────────────────────────────────────────────────┤ ││ │ │ ││ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ ││ │ │ Client │ │ Resolver │ │Auth NS │ │ ││ │ └────┬─────┘ └────┬─────┘ └────┬─────┘ │ ││ │ │ │ │ │ ││ │ │ 1. Query: │ │ │ ││ │ │ example.com │ │ │ ││ │ │─────────────────►│ │ │ ││ │ │ │ │ │ ││ │ │ │ 2. Query example.com │ ││ │ │ │─────────────────────────────────►│ ││ │ │ │ │ │ ││ │ │ │ │ │ ││ │ │ │ 3. Response + RRSIG │ ││ │ │ │◄────────────────────────────────│ ││ │ │ │ (signed with ZSK) │ ││ │ │ │ │ │ ││ │ │ │ 4. Verify RRSIG │ ││ │ │ │ using DNSKEY │ ││ │ │ │ │ │ ││ │ │ │ 5. Query KSK │ ││ │ │ │ (if needed) │ ││ │ │ │─────────────────────────────────►│ ││ │ │ │ │ │ ││ │ │ │ 6. DS record from parent │ ││ │ │ │◄────────────────────────────────│ ││ │ │ │ │ │ ││ │ │ │ 7. Chain validated ✓ │ ││ │ │◄──────────────────│ │ │ ││ │ │ 8. Secure result │ │ │ ││ │ └──────────────────►│ │ │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────┘ ││ ││ DNSSEC Record Types: ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ │ ││ │ DNSKEY - Contains public signing keys │ ││ │ RRSIG - Digital signature for a record set │ ││ │ DS - Hash of DNSKEY, published in parent zone │ ││ │ NSEC/NSEC3 - Proof of non-existence │ ││ │ CDNSKEY - Child DNSKEY (for dynamic updates) │ ││ │ CDS - Child DS (for dynamic updates) │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────┘Key Types
Section titled “Key Types”┌─────────────────────────────────────────────────────────────────────────┐│ DNSSEC KEY TYPES │├─────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ ZSK (Zone Signing Key) │ ││ │ ┌─────────────────────────────────────────────────────────┐ │ ││ │ │ - Signs all zone records (A, AAAA, MX, etc.) │ │ ││ │ │ - Shorter key, rotated more frequently │ │ ││ │ │ - Typically 1024-2048 bits │ │ ││ │ │ - Signed by KSK │ │ ││ │ │ - Algorithm: RSASHA256, ECDSAP256SHA256 │ │ ││ │ └─────────────────────────────────────────────────────────┘ │ ││ │ │ ││ │ KSK (Key Signing Key) │ ││ │ ┌─────────────────────────────────────────────────────────┐ │ ││ │ │ - Signs the DNSKEY record set │ │ ││ │ │ - Longer key, rotated less frequently │ │ ││ │ │ - Typically 2048 bits or higher │ │ ││ │ │ - DS record in parent zone points to KSK │ │ ││ │ │ - More secure, separated from daily signing │ │ ││ │ └─────────────────────────────────────────────────────────┘ │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────┘ ││ ││ Chain of Trust: ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ │ ││ │ . (root) │ ││ │ │ │ ││ │ │ DS record for .com │ ││ │ ▼ │ ││ │ .com │ ││ │ │ │ ││ │ │ DS record for example.com (hash of KSK) │ ││ │ ▼ │ ││ │ example.com │ ││ │ │ │ ││ │ │ DNSKEY record (contains ZSK and KSK) │ ││ │ │ RRSIG (signed by ZSK) │ ││ │ │ │ ││ │ └─► Validate signatures using ZSK, verify ZSK using KSK │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────┘77.2 BIND DNSSEC Configuration
Section titled “77.2 BIND DNSSEC Configuration”Key Generation
Section titled “Key Generation”# ============================================================# DNSSEC KEY GENERATION# ============================================================
# Create DNSSEC keys directorymkdir -p /etc/bind/keys/example.comcd /etc/bind/keys/example.com
# Generate Zone Signing Key (ZSK)dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com# Output: Kexample.com.+008+12345.key and .private
# Generate Key Signing Key (KSK)dnssec-keygen -a RSASHA256 -b 4096 -n ZONE -f KSK example.com# Output: Kexample.com.+008+67890.key and .private
# Alternative algorithms# ECDSAP256SHA256 (recommended - smaller keys, same security)dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.comdnssec-keygen -a ECDSAP256SHA256 -n ZONE -f KSK example.com
# View generated keysls -lacat Kexample.com.+008+12345.key
# Key file format:# example.com. IN DNSKEY 257 3 8 AwEAAc...# 257 = KSK (secure entry point)# 3 = algorithm (8 = RSASHA256)Signing the Zone
Section titled “Signing the Zone”# ============================================================# SIGNING THE ZONE# ============================================================
# Pre-signing steps# Ensure zone file is up to date
# Sign zone manually (for testing)dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | tr -dc 'a-z0-9' | head -c 16) \ -o example.com -t db.example.com
# Flags explained:# -A: Re-sign all keys (regenerate signatures)# -3: NSEC3 salt (or -n for NSEC)# -o: Origin (zone name)# -t: Total signatures
# Output files:# db.example.com.signed - Signed zone file# dsset-example.com - DS records for parent zone
# Automatic signing (recommended for production)# Enable in named.conf
# Configure automatic signing# /etc/bind/named.conf.localzone "example.com" { type master; file "/etc/bind/zones/db.example.com"; key-directory "/etc/bind/keys/example.com"; dnssec-policy default; auto-dnssec maintain;};DNSSEC Configuration
Section titled “DNSSEC Configuration”# ============================================================# BIND DNSSEC CONFIGURATION# ============================================================
# /etc/bind/named.conf.optionsoptions { // Enable DNSSEC validation on recursive servers dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;
// Trust anchor (usually auto-managed) // trust-anchor ".";
// Logging category dnssec { null; };};
// /etc/bind/named.conf.local for authoritative serverzone "example.com" { type master; file "db.example.com.signed"; allow-transfer { 10.0.0.0/8; };
// DNSSEC signing policy dnssec-policy default { // Keys will be generated automatically // Keys rollover automatically };};
// Automatic key management (BIND 9.16+)zone "example.com" { type master; file "db.example.com.signed"; key-directory "/etc/bind/keys/example.com"; dnssec-policy default; auto-dnssec maintain;};77.3 DS Record Management
Section titled “77.3 DS Record Management”Publishing DS Records
Section titled “Publishing DS Records”# ============================================================# DS RECORD MANAGEMENT# ============================================================
# Generate DS record from KSKdnssec-dsfromkey Kexample.com.+008+67890.key
# Example output:# example.com. IN DS 12345 8 2 A1B2C3D4E5F6...
# DS record components:# - Key Tag (12345): Identifies the key# - Algorithm (8): RSASHA256# - Digest Type (2): SHA-256# - Digest (A1B2...): Hash of KSK
# Submit to parent zone registrar# Most registrars provide web interface# Or use: nsupdate with TSIG
# For multiple KSKs (key rollover)# Generate DS for each KSK
# Verify DS recordsdig DS example.com @dns.example.comdig +short DS example.com @a.gtld-servers.netAutomatic DS Updates
Section titled “Automatic DS Updates”# ============================================================# AUTOMATIC DS UPDATES# ============================================================
# Configure CDS updates (for automatic DS management)# Add to zone statement:zone "example.com" { // ... other options update-policy local; // or // inline-signing yes;};
# For parent zone to pick up CDS records# Parent queries for CDS records periodically
# Manual submission via nsupdatensupdate -l << EOFserver dns.parent.example.comupdate add example.com 3600 CDS 12345 8 2 A1B2C3D4E5F6...sendEOF
# Or via your registrar's API77.4 Testing and Validation
Section titled “77.4 Testing and Validation”Client-Side Testing
Section titled “Client-Side Testing”# ============================================================# DNSSEC TESTING# ============================================================
# Check if DNSSEC is enabled on resolverdig +dnssec example.com# Look for AD flag in response
# Verify signatures manuallydig +sigchase example.com# Traces chain of trust
# Check DNSKEY recordsdig DNSKEY example.com
# Check RRSIG recordsdig +rrlist example.com | grep RRSIG
# Check DS recordsdig DS example.com
# Test validationdig +cdflag example.com# cdflag = Checking Disabled, bypasses validation
# Check AD (Authenticated Data) flagdig example.com | grep "flags:"# Should show "ad" when DNSSEC is working
# Using drill (from ldns)drill -D example.comdrill -TD example.comOnline Tools
Section titled “Online Tools”# ============================================================# DNSSEC VALIDATION TOOLS# ============================================================
# DNSViz - Visual analysis# https://dnsviz.net/
# Verisign DNSSEC Analyzer# https://dnssec-analyzer.verisign.com/
# DNS-OARC DNSSEC Debugger# https://dnssec-debugger.verisign.com/
# Online DNSSEC test# https://www.dnssec-or-not.com/
# Check negative responses (NSEC/NSEC3)dig +dnssec +norec soa.example.com @authns.example.comTroubleshooting
Section titled “Troubleshooting”# ============================================================# DNSSEC TROUBLESHOOTING# ============================================================
# Common issues:
# 1. Keys not generatedls -la /etc/bind/keys/example.com/# Should have .key and .private files
# 2. Zone not signeddig +dnssec example.com @authns.example.com# Should have RRSIG in response
# 3. DS records not publisheddig DS example.com @parent.example.com# Should return DS records
# 4. Validation fails on resolver# Check named.conf: dnssec-validation yes;
# 5. Check for expired signatures# View signature expirationdig +noall +answer RRSIG example.com
# 6. Check key IDs matchdig DNSKEY example.com# Compare Key ID with DS record Key Tag
# 7. Debug DNSSEC in BIND# Add to named.conf options:logging { channel dnssec_log { file "/var/log/named/dnssec.log" versions 3 size 5m; severity info; print-time yes; print-category yes; }; category dnssec { dnssec_log; };};
# 8. Check trust anchor# Root key should be present# /etc/bind/bind.keys or managed-keys-directory77.5 Interview Questions
Section titled “77.5 Interview Questions”┌─────────────────────────────────────────────────────────────────────────┐│ DNSSEC INTERVIEW QUESTIONS │├─────────────────────────────────────────────────────────────────────────┤ │Q1: What is DNSSEC and why is it important? │ │A1: │- DNSSEC adds cryptographic signatures to DNS records │- Protects against DNS cache poisoning and spoofing │- Ensures DNS responses come from legitimate authoritative server │- Does NOT provide confidentiality (no encryption) │- Creates chain of trust from root to leaf domains │ │─────────────────────────────────────────────────────────────────────────┤ │Q2: Explain the difference between ZSK and KSK. │ │A2: │- ZSK (Zone Signing Key): │ - Signs all zone records (A, MX, etc.) │ - Shorter key, rotated more frequently │ - Signed by KSK │ │- KSK (Key Signing Key): │ - Signs the DNSKEY record containing ZSK │ - Longer key, rotated less frequently │ - DS record in parent zone points to KSK │ - Provides separation of duties │ │─────────────────────────────────────────────────────────────────────────┤ │Q3: What is the chain of trust in DNSSEC? │ │A3: │Root → .com (TLD) → example.com → sub.example.com │ │Each zone: │- Has DNSKEY records (contains ZSK and KSK public keys) │- Signs its records with ZSK │- KSK is signed and DS record published in parent │- Parent's DS record validates child's KSK │- Child's DNSKEY validates child's ZSK │- ZSK validates all other records │ │─────────────────────────────────────────────────────────────────────────┤ │Q4: What are the main DNSSEC record types? │ │A4: │- DNSKEY: Public signing keys │- RRSIG: Digital signature for records │- DS: Hash of DNSKEY for parent zone │- NSEC/NSEC3: Proof of non-existence │- CDNSKEY/CDS: Child DS for dynamic updates │ │─────────────────────────────────────────────────────────────────────────┤ │Q5: How do you troubleshoot DNSSEC validation failures? │ │A5: │1. Verify zone is signed: dig +dnssec example.com │2. Check DS records: dig DS example.com │3. Verify chain: dig +sigchase example.com │4. Check trust anchors: named.conf dnssec-validation │5. Check key IDs match between DNSKEY and DS │6. Check for expired signatures │7. Use DNSViz for visual analysis │8. Check resolver logs │ │─────────────────────────────────────────────────────────────────────────┤ │Q6: What is the difference between NSEC and NSEC3? │ │A6: │- NSEC: Explicitly lists next secure domain │ - Proves non-existence by showing range │ - Allows full zone enumeration (security risk) │ │- NSEC3: Uses hashed domain names │ - Prevents zone enumeration │ - More privacy-friendly │ - Requires additional computation to verify │ │─────────────────────────────────────────────────────────────────────────┤ │Q7: How does DNSSEC validation work on the client side? │ │A7: │1. Client queries for example.com DNSKEY │2. Resolver returns DNSKEY + RRSIG │3. Resolver queries for DS record in parent zone │4. Validates chain: root → .com → example.com │5. Uses trust anchors (root DNSKEY) to validate │6. Returns response with AD (Authenticated Data) flag │7. Client checks AD flag (if validating resolver) │ │─────────────────────────────────────────────────────────────────────────┤ │Q8: What are the steps to enable DNSSEC for a domain? │ │A8: │1. Generate ZSK and KSK for zone │2. Sign zone with dnssec-signzone or auto-dnssec │3. Publish signed zone │4. Generate DS record from KSK │5. Submit DS record to parent zone (registrar) │6. Verify DS is published validation from client │ │─────────────────────────────────────────────────────────────────────────┤ │Q │7. Test9: What are the limitations of DNSSEC? │ │A9: │- No confidentiality (not encryption) │- Increases DNS response size (more round trips) │- Complexity in key management and rollover │- Not all TLDs support DNSSEC │- Some older devices don't support it │- Can cause validation failures if misconfigured │- Doesn't protect against DDoS │ │─────────────────────────────────────────────────────────────────────────┤ │Q10: How do you implement DNSSEC key rollover? │ │A10: │KSK Rollover: │1. Generate new KSK │2. Add to DNSKEY set (both old and new) │3. Update DS record in parent (point to new KSK) │4. Wait for DS propagation │5. Remove old KSK from DNSKEY set │ │ZSK Rollover: │1. Generate new ZSK │2. Add to DNSKEY set │3. Re-sign all records with new ZSK │4. Wait for old signatures to expire │5. Remove old ZSK │ │Use dnssec-settime and dnssec-signzone for manual rollover │ │└─────────────────────────────────────────────────────────────────────────┘Quick Reference
Section titled “Quick Reference”# Generate keysdnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.comdnssec-keygen -a RSASHA256 -b 4096 -n ZONE -f KSK example.com
# Sign zonednssec-signzone -A -3 <salt> -o example.com db.example.com
# Generate DS recorddnssec-dsfromkey Kexample.com.+008+12345.key
# Testdig +dnssec example.comdig +sigchase example.com
# Configurationdnssec-enable yes;dnssec-validation yes;Common Mistakes & Anti-Patterns
Section titled “Common Mistakes & Anti-Patterns”1. Not Uploading DS Record
Section titled “1. Not Uploading DS Record”❌ WRONG: Enabling DNSSEC but not configuring DS
# Sign zonednssec-signzone -A -3 <salt> -o example.com db.example.com
# But forgot to upload DS to registrar!# DNSSEC won't work!✅ CORRECT: Upload DS to registrar
# Generate DS recorddnssec-dsfromkey Kexample.com.+008+12345.key# Output: example.com. IN DS 12345 8 2 ABCDEF...
# Upload this to your registrar's DNSSEC settings2. Not Auto-Signing Zone
Section titled “2. Not Auto-Signing Zone”❌ WRONG: Manual signing only
# Manual signingdnssec-signzone -A -3 <salt> -o example.com db.example.com# Must re-sign manually!✅ CORRECT: Use automatic signing
options { dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;};
// zone filezone "example.com" { type master; file "db.example.com"; auto-dnssec maintain; inline-signing yes;};3. Key Rollover Without Planning
Section titled “3. Key Rollover Without Planning”❌ WRONG: Expired keys cause outage
// Keys about to expire// No rollover plan// Domain goes insecure!✅ CORRECT: Plan key rollovers
# Monitor key expiration# dnssec-keygen -S Kexample.com.+008+12345 -i 30# Generate new key 30 days before expiration4. Not Validating on Resolver
Section titled “4. Not Validating on Resolver”❌ WRONG: Clients can’t verify signatures
// Resolver not validatingoptions { dnssec-validation no; // Don't do this!};✅ CORRECT: Enable validation
options { dnssec-validation yes; // Enable validation dnssec-lookaside auto;};5. NSEC3 Without Proper Planning
Section titled “5. NSEC3 Without Proper Planning”❌ WRONG: Privacy issues with NSEC
// NSEC reveals all domain names// Privacy concern for some orgs✅ CORRECT: Use NSEC3 for privacy
// NSEC3 with opt-out for large zonesdnssec-keygen -a NSEC3SHA1 -b 2048 -n ZONE example.com// Or use NSEC for simple zonesSummary
Section titled “Summary”- DNSSEC: Cryptographic signatures for DNS
- Keys: ZSK (signs records), KSK (signs DNSKEY)
- Chain of Trust: Root → TLD → Domain
- Records: DNSKEY, RRSIG, DS, NSEC/NSEC3
- Validation: Enable in resolver, sign zone for authoritative
Next Chapter
Section titled “Next Chapter”Chapter 78: Postfix Mail Server
Last Updated: February 2026