DNSSEC configuration

From ISPWiki
Jump to: navigation, search

DNSSEC is a set of security extensions to DNS that provides the means for authenticating DNS records. It allows to prevent malicious activities like cache poisoning, phishing, and other attacks.

The purpose of DNSSEC is to protect Internet clients from counterfeit DNS data by verifying digital signatures embedded in the data.

How it works

DNSSEC creates a specific record with a digital signature for every resource record. The key peculiarity of a digital signature is the use of public key cryptography to ensure that DNS records are authentic. Every member of the system can check the signature, however only those having the secret key can sign new or modified data.

Public keys are published as a DNSKEY resource record along with other resource records. A sequence of records that identifies public keys is called a chain of trust. The key authenticity is checked with its digests (fingerprint, hashes) that are sent to the parent zone as DS-records. Digests of the parent zone public keys are also sent to the corresponding parent zones. The chain of trust is built up to the root zone which public key and digests are published in the official documents of ICANN.

DNSSEC uses 2 types of keys:

  • ZSK (Zone Signing Key) — this key is used to sign records within the zone;
  • KSK (Key Signing Key) — this key is used to sign keys.

You can specify an algorithm, key length, and update period for every type. The keys will be generated with the specified parameters.

Currently, DNSSEC allows to specify only identical algorithm for keys.

Normally, KSK uses larger values of the key length and update period than ZSK:

  • A ZSK-key is used every time the domain zone is modified or updated. Using a short key makes it easier to sing a domain, and a short update period ensures a high level of security;
  • KSK-keys are used only to sign the keys, that's why they are used not so often as ZSK. A long key does not affect the efficiency. Besides, it is safe to specify a long update period for a long key. A long update period of KSK-keys allows to send DS-records to the parent zone more rarely.

To avoid DNSSEC key compromising, the keys are updated. According to the standard practice (RFC7583 and RFC6781) the keys are updated in steps so that slave servers and DNS caching servers have enough time for synchronization with the primary DNS server.

KSK is updated based on the algorithm Double-DS:

  1. DS-records of a new KSK-key is published in the parent zone. In ISPmanager the next KSK-key is created right after the domain is signed or the old KSK-key is removed. A user may publish the DS-record of the new key beforehand. To update the KSK-key correctly in ISPmanager, you need to publish the DS-record of the new key in the parent zone one month before the KSK-key is updated;
  2. Changing the KSK-key. The active KSK-key is changed into a new one. In ISPmanager the key is changed 2 weeks before the KSK-key is updated;
  3. Removing DS-records of the old key from the parent zone. ISPmanager generates a new key allowing users to perform the required operations in the parent zone: delete the DS-record of the old key and add the DS-records of a new key.
Double-DS KSK Rollover

ZSK is updated based on the algorithm Pre-Publication:

  1. Creating and publishing a new ZSK-key in the domain zone. This operation is performed in ISPmanager 2 weeks before the key is changed. A new key is not used for signing the domain;
  2. Changing the ZSK-key. A newly published ZSK-key is get activated. The old ZSK-key is no longer used for signing domains;
  3. Deleting the old passive ZSK-key. This operation is performed 2 weeks after the ZSK-key was changed.
pre-publish ZSK Rollover

Activating DNSSEC

DNSSEC can be activated for the following DNS-servers:

  • Bind starting from version 9.8.4;
  • PowerDNS starting from version 3.2.

Note: Debian 7 standard repository contains PowerDNS 3.1.

Note: PowerDNS up to version 4 does not fully support CAA-records. So, signing a domain name with DNSSEC on a DNS-server with PowerDNS before version 4 can make CAA-records inaccessible.

To enable DNSSEC and configure the domain key settings, navigate to "Domains" -> "Domain names" -> select a domain -> click "Settings" -> select the "DNSSEC support" check box. This feature is available only for Administrators.

DNSSEC key parameters
  • DNSSEC support — enable DNSSEC for the selected domain zone;
  • Key signing key (KSK):
    • Algorithm ­— select a key generation algorithm:
      • Outdated algorithms:
        • 5 — RSA/SHA-1;
        • 7 — RSASHA1-NSEC3-SHA1;
      • Modern algorithms:
        • 8 — RSA/SHA-256;
        • 10 — RSA/SHA-512;
        • 12 — GOST R 34.10-2001;
      • Newest algorithm:
        • 13 — ECDSA Curve P-256 with SHA-256;
        • 14 — ECDSA Curve P-384 with SHA-384.
    • Key length — enter the KSK-key length (in bites);
    • Renewal period — set the period in months that will pass before a new key will be generated.
  • Zone signing key (ZSK):
    • Algorithm ­— select a ZSK key generation algorithm. It must match the KSK-key generation algorithm:
      • Outdated algorithms:
        • 5 — RSA/SHA-1;
        • 7 — RSASHA1-NSEC3-SHA1;
      • Modern algorithms:
        • 8 — RSA/SHA-256;
        • 10 — RSA/SHA-512;
        • 12 — GOST R 34.10-2001;
      • Newest algorithm:
        • 13 — ECDSA Curve P-256 with SHA-256;
        • 14 — ECDSA Curve P-384 with SHA-384.
    • Key length — enter the length of the ZSK-key in bites;
    • Renewal period — set the period in months that will pass before a new key will be generated.

Email notification

When activating DNSSEC protection you need to publish and update the DS-record in the parent zone manually. DNSSEC email notifications will inform you about new DS-records you need to publish.

Navigate to "Settings" -> "Email notifications " -> select the "DNSSEC notifications " check box

DNSSEC email notifications

Enabling DNSSEC for a domain

DNSSEC activation involves several steps:

  • the system checks the maximum TTL in the domain zone;
  • signs the domain zone;
  • generates a chain of trust.

Checking the maximum DNS TTL

The maximum DNS TTL must be less than 2 weeks. The default value is 3 hours.

To set the maximum TTL, navigate to "Domains" -> "Domain names" -> select a domain -> click "Records" -> "TTL, sec".

Signing domain zone

To sign a domain zone, go to "Domains" -> "Domain names" -> select a domain -> click "Edit" -> enable "Sign domain".

Signing a domain zone

The system will start a background process to sign the domain zone. KSK and ZSK will be generated according to the specified parameters. When signing the domain zone, you will see the corresponding icon in the "Status" column. You cannot "Edit" or "Delete" the domains during that process.

In a few seconds refresh the "Domain names" page.

Once the system signs the domain zone:

  • you will see the notification icon in the "Status" column;
  • The "Unpublished DS-records" banner in the panel interface;
  • The "DNSSEC" button will become active for the domain.
The domain zone is signed, but DS-records has not been published

Creating a chain of trust

To create a chain of trust, you need to transfer DS-records (or even DNSKEY-records KSK, depending on a registrar) into the parent zone. You can see the information about the main key parameters and their DNSKEY and DS records in "Domains" -> "Domain names" -> select a domain -> click "DNSSEC" "DNSSEC patrameters":.

Signing a domain zone
  • DNSSEC status;
  • Key algorithm — KSK and ZSK key generation algorithm;
  • KSK parameters:
    • Key update date — date when the current KSK-key was generated;
    • Update period (months) — period in month that will pass before a new key will be generated;
    • Key lengths — KSK-key length, in bites.
  • DS-records — DS-records in the domain zone. Key verification is performed with its digests (fingerprint, hashes) that are sent as DS-records to the parent zone.
The following data are displayed for every DS-record:
  • Start of record — beginning of the DS-record;
  • Tag — KSK-key identifier;
  • Algorithm — encryption digest identifier;
  • Digest type — digest type identifier;
  • Digest — digest content.
  • Show DNSKEY — click the button to see a table with DNSKEY-records. The following data are shown for every record DNSKEY-record:
  • Start of record — beginning of the DNSKEY-record;
  • Flags — key type identifier;
  • Protocol — DNSSEC protocol number;
  • Algorithm — encryption algorithm identifier;
  • Public key — public part of the key;
  • Tag — KSK-key identifier.

DS-records are sent in one of the following ways:

  1. Add records in the domain control panel interface on a registrar side. You need to copy the DS-records from ISPmanager. If records should be added in the form of strings on the registrar side, you need to group the values of all columns of the DS-record table in ISPmanager. Do not forget to add spaces between them.
  2. If the domain zone is located along with the parent zone on the same sever managed by ISPmanager or DNSmanager, on the"DNSSEC parameters" page you will see the "Send DS-records to the parent zone" button. Click the button to pass the DS-records.
  3. If the domain is the parent for the domain on the remote server, DS-records of the child domain will be created on the parent the same way as other resource records.
Adding a DS-record of the child domain
  • Name — name of the child domain that the record belongs to;
  • TTL — record information update time;
  • Type — record type. Select "DS (DNSSEC key digest)";
  • Key tag — KSK-key identifier
  • Algorithm ­— KSK-key generation algorithm:
    • 3 — DSA/SHA-1;
    • 5 — RSA/SHA-1;
    • 6 — DSA-NSEC3-SHA1;
    • 7 — RSASHA1-NSEC3-SHA1;
    • 8 — RSA/SHA-256;
    • 10 — RSA/SHA-512;
    • 12 — GOST R 34.10-2001;
    • 13 — ECDSA Curve P-256 with SHA-256;
    • 14 — ECDSA Curve P-384 with SHA-384;
    • 15 — Ed25519;
    • 16 — Ed448.
  • Digest type — digest generation algorithm:
    • Outdated digests:
      • 1 — SHA-1;
    • Modern digests:
      • 2 — SHA-256;
      • 3 — GOST R 34.11-94;
    • The most secure digest:
      • 4 — SHA-384.
  • Digest — digest contents

Once in 24 hours ISPmanager checks DS-records in the parent zone. At least one DS-record for every KSK must be sent. Once completed, the warning in the Status column will change into the icon confirming that the domain is protected with DNSSEC:

Disabling DNSSEC for a domain

If the keys are compromised, you need to sign the domain zone with new keys. To do so, disable DNSSEC protection:

  • delete all the DS-records from the parent domain zone and wait for several hours
  • delete the domain signature in "Domains" -> "Domain names" -> select a domain -> "Edit" -> select the"Delete record" check box.

Disabling DNSSEC

Before disabling DNSSEC you need to delete DS-records of all signed domain from their parent zones. Otherwise, the domains will stop working.

To disable DNSSEC navigate to "Domains" -> "Domain names" -> "Settings" -> clear the "DNSSEC support" check box. Only Administrators can disable this option.

Once completed, the system will un-sign all the domain names and delete their keys.


When you set up DNSSEC, the package size will be enlarged. Please note:

  • when exceeding 512 bytes, DNS will use TCP. Some routers do not allow to run DNS through TCP (port 53 is closed);
  • when exceeding the MTU limit, DNS will be filtered. MTU is the maximum transmission unit of one package that can be transmitted without fragmentation. The optimum MTU size is 1500 bytes.