SixXS::Sunset 2017-06-06

FAQ : DNS : How do I secure my reverse delegation with DNSSEC?

Other FAQ sections

  • FAQ Item
  • How to use DNSSEC to secure my reverse delegation
  • How do I validate it?
  • But there is no trust-chain from the root!
  • What does SixXS use in the background?
  • What algorithms are supported?

How do I secure my reverse delegation with DNSSEC?

How to use DNSSEC to secure my reverse delegation

We suggest using DNSSEC Tools and also reading their excellent Tutorial on how to use zonesigner for DNSSEC. Another good reads are "DNSSEC in 6 minutes" and Deploying DNSSEC Using BIND by Alan Clegg of ISC.

At one point or another you will have a file called 'dsset-zone' which might look somewhat like:

0.0.b.0.8.b.d.0.1.0.0.2.ip6.arpa. IN DS 27631 5 1 837F6A11FCF44F1796DAC9E83988E0EAA5553F24
0.0.b.0.8.b.d.0.1.0.0.2.ip6.arpa. IN DS 27631 5 2 FD80C2FBB078C97896412FA79F2E4131892CA564115DAB17D41391C8 78BAF477

That is the data you need and need to provide to the Subnet Configuration (follow the link in the Subnet list in your home). You will need to enter the details after the "DS", thus the actual RR-data. Thus when using the above example one would fill in "27631 5 1 837F6A11FCF44F1796DAC9E83988E0EAA5553F24" and "27631 5 2 FD80C2FBB078C97896412FA79F2E4131892CA564115DAB17D41391C8 78BAF477" as the two DS records.

How do I validate it?

DNSSEC verification can happen in any software that supports it. This does means that a browser could do so (eg Chrome does) but also a recursive DNS resolver serving a large amount of clients could decide to reject an answer based on the DNSSEC validation it performs.

Please read the document written by SURFnet called Deploying DNSSEC for more details on how to configure various DNS recursors to perform DNSSEEC validation.

But there is no trust-chain from the root!

DNSSEC

Unfortunately, even though there is a possibility for doing DNSSEC in the .arpa zone, the intermediate DNS Servers at the various ISPs do not support DNSSEC yet.

With the help of DLV (DNSSEC Look-aside Validation) one can bypass the requirement of signing all the way down the root.

Note that dlv.isc.org is shutting down, which is why we have disabled signing of our zones. SixXS does still publish entered DS records though.

What does SixXS use in the background?

For serving the DNS zones we use NLnet Labs's NSD. The user DS records are stored in a database, which once in a while (every 5 minutes) is checked for changes. When there is a change, we generate a normal (unsigned) BIND-format zone text-file. The signed zone file is then synchronized to our NSD instances at ns{1|2|3}.sixxs.net.

What algorithms are supported?

See the below table for combinations of algorithms that we support for registration of DS (Delegated Signer) records.

Algorithm IDAlgorithm NameNoteAlgorithm Type
(1) SHA-1(2) SHA-256(3) GOST R 34.11-94(4) SHA-384
1RSA/MD5Deprecated       
2Diffie-HellmanCan't be used for zone-signing       
3DSA/SHA1YY   
4Elliptic CurveReserved but not specified       
5RSA/SHA-1YY   
6DSA-NSEC3-SHA1Y     
7RSASHA1-NSEC3-SHA1Y     
8RSA/SHA-256  Y   
10RSA/SHA-512       
12GOST R 34.10-2001       
13ECDSA Curve P-256 with SHA-256  Y   
14ECDSA Curve P-384 with SHA-384    Y 
252Indirect KeysReserved, not specified yet       
253Private Algorithm - DomainPrivately defined - unknown       
254Private Algorihtm - OIDPrivately defined - unknown       

The items marked "Y" (in green) are the combinations that are supported by our system, others are rejected from being registered. Comments and questions are of course welcome at the contact address.

References:

Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker