Safe and Sound
When you leave your home, turn your key to lock the front door, and walk away there is a peace of mind that everything within those walls just got a whole lot safer. You wouldn’t expect anyone else to gain access to your house with their keys and start messing up your stuff. If you secure your belongings and loved ones, why not protect your DNS as well? Ensuring that only verified queries can gain access to your records helps prevent DNS hijacking, which can send the requestor somewhere they may not have intended. This can be accomplished with DNSSEC.
Domain Name System Security Extensions, or DNSSEC for short, has been around for some time now but it is growing more omnipresent across the internet. The kind of attacks that precipitated the need for tools like DNSSEC have been well-known for some time, but received a lot of attention in 2008 due to researcher Dan Kaminsky. In order to counteract the problem, DNSSEC gives everyone on the Internet a way to authenticate data from the DNS: if one has an answer from the DNS, it contains all and only the data that it should according to the authoritative server. In short, it works by adding digital signatures to the data in the DNS.
Just as with your home, DNSSEC relies on keys to ensure a DNS query is validated. These “handshakes” between keys and signatures can occur across each step of a DNS query. When using Dyn’s Managed DNS platform, you will have the ability to enable DNSSEC for each of your zones. This completes the final link in the chain, between your domain and your DNS zone. Sound like a lot? Let’s break it down.
Say you registered the domain name “dnslover.com” because you are DNS’ biggest fan (We don’t blame you!) and you create a zone for “dnslover.com” on Managed DNS. To keep the link between your domain registration and your DNS secure, DNSSEC will need to be implemented on both sides. This starts with Managed DNS, where you can navigate to your zone and select the white “Zone Options” tab.
From there, you will see a selectable option for “DNSSEC.” The screen that appears won’t look like much yet. You will be provided options to edit when your keys will expire and set up notifications. If you’re unsure about what to do with these fields don’t worry, you can adjust those later. To see the real inner workings of DNSSEC we will need to select the magic blue “Add DNSSEC” button at the bottom of your screen.
Once DNSSEC is added, your screen will get a lot more exciting. You are now viewing all the bells and whistles that make DNSSEC the security measure that it is. As mentioned above, the goal here is give our newly created key to the domain registration, allowing traffic between the two to be validated and more secure. While everything within the DNSSEC panel of Managed DNS has a purpose, let’s take a closer look at the information the domain registration will need. This is the “Delegation Signer Records” field, most commonly known as a DS record.
You will notice there are multiple records listed in the above field, each with a different digest type. This allows you to use the key type is compatible with your domain registrar. While the digest type may be different they are related to the same key tag, and as such the same kay. If your registrar is Dyn, you can visit our help site for more information on creating DS records. Otherwise, please reach out to your registrar with assistance creating this record.
Stay in the Know
You’ve already done so much to secure your zone, but what’s next? You probably noticed in the screenshot above that there is an “expiration” field. When a key expires, it can cause severe resolution errors for your zone. One method for avoiding such an event is to set up DNSSEC notifications. With this feature Dyn Managed DNS can notify you when a key expires or give you warning when one is about to. Enabling notifications can be done from the same screen within your Managed DNS account, and is found at the bottom of the page.
You can select an existing contact from the dropdown. If you would like to create a new contact for your notifications, you may do so at any time. Just be sure to select the correct contact, notification times, and click “Update DNSSEC.”
Protect the Future, Now
We’ve added DNSSEC to your zone and domain registration, and configured notifications so that we are always informed about expiring keys. If you’re like us, you probably want to plan ahead so that you can solve problems before they ever arise. You are a fellow DNS lover after all! You may also create keys that will expire after the pre-created one. This will allow you to create DS records for both keys at your registrar, and can prevent any downtime that may occur when a key expires.
You can select the parameters for this new DS record in the “Key Signing Keys” field towards the top of the DNSSEC page. There you can add a new key and select the parameters and expiration you wish to use. You will want to make this new key expire after the old one, which is listed below. Just as with all changes to your DNSSEC, be sure to click the blue “Update DNSSEC” button at the base of the page.
Once added, your new keys will appear above your prior keys in the “Delegation Signer Records” field. You may add this new key to your domain registrar to have a valid key in place with the older one expires.
And voila! You are now fully equipped with DNSSEC, made another notch on your DNS toolbelt, and have taken the next step to prevent query hijacking. The internet thanks you.