FAQ : DNS : How do I secure my reverse delegation with DNSSEC?
How do I secure my reverse delegation with DNSSEC?How to use DNSSEC to secure my reverse delegationWe suggest using DNSSEC Tools and also reading their excellent Tutorial on how to use zonesigner for DNSSEC. Another good reads are "DNSSEC in 6 minutes" and Deploying DNSSEC Using BIND by Alan Clegg of ISC. At one point or another you will have a file called 'dsset-zone' which might look somewhat like:
0.0.b.0.8.b.d.0.1.0.0.2.ip6.arpa. IN DS 27631 5 1 837F6A11FCF44F1796DAC9E83988E0EAA5553F24
That is the data you need and need to provide to the Subnet Configuration (follow the link in the Subnet list in your home). You will need to enter the details after the "DS", thus the actual RR-data. Thus when using the above example one would fill in "27631 5 1 837F6A11FCF44F1796DAC9E83988E0EAA5553F24" and "27631 5 2 FD80C2FBB078C97896412FA79F2E4131892CA564115DAB17D41391C8 78BAF477" as the two DS records. How do I validate it?DNSSEC verification can happen in any software that supports it. This does means that a browser could do so (eg Chrome does) but also a recursive DNS resolver serving a large amount of clients could decide to reject an answer based on the DNSSEC validation it performs. Please read the document written by SURFnet called Deploying DNSSEC for more details on how to configure various DNS recursors to perform DNSSEEC validation. But there is no trust-chain from the root!Unfortunately, even though there is a possibility for doing DNSSEC in the .arpa zone, the intermediate DNS Servers at the various ISPs do not support DNSSEC yet. With the help of DLV (DNSSEC Look-aside Validation) one can bypass the requirement of signing all the way down the root. Note that dlv.isc.org is shutting down, which is why we have disabled signing of our zones. SixXS does still publish entered DS records though. What does SixXS use in the background?For serving the DNS zones we use NLnet Labs's NSD. The user DS records are stored in a database, which once in a while (every 5 minutes) is checked for changes. When there is a change, we generate a normal (unsigned) BIND-format zone text-file. The signed zone file is then synchronized to our NSD instances at ns{1|2|3}.sixxs.net. What algorithms are supported?See the below table for combinations of algorithms that we support for registration of DS (Delegated Signer) records.
The items marked "Y" (in green) are the combinations that are supported by our system, others are rejected from being registered. Comments and questions are of course welcome at the contact address. References: |