DNS Security

I have always been adept of DJB, sharing his ideas and attitude to ISC products. I still share attitude, and I eager to support new technologies. Indeed. However DJB dns server, despite being neat, light and efficient - does not support many of new stuff. Including IPv6. And DNSSEC. Ok, I know about that amplification and other stuff, however it is here, and now, and works.

Hence I removed djb stuff and after searching the net came to conclusion to use NLnet Labs stuff - those guys are realy keeping the track of the bleeding edge. So I ended up with NSD and Unbound. However, being curious of how all this kitchen works I left opendnssec aside - I'm not going to manage complex site, provide dnssec services or whatever, I just interested in securing my own zone.

But no, it does not mean I've chosen the side, it merely means I've decided to use both technologies for protection, dnscurve authentication and encryption with DNSSEC data authentity and integrity. And yes, dnscurve is more experimental for me, since I will not remove non-curved masters. You see, I didn't find any secondary dns provider supporting dnscurve. Moreover, I can hardly imagine such service. While with DNSSEC I am the master of the zone, and secondaries are just replaying my keys, with dnscurve secondaries are authorities of their keys.


So - I've written an article on sixx's wiki hence will not repeat here configuration details.

General approach is quite simple -

  • setup master NSD DNS,
  • create zones,
  • create working directory where you'll keep your keys,
  • put there script and Makefile
  • run make - it should generate keys and sign zones

Do not forget that NSD should point to signed zones. Then register in ISC and create DLV - if your zone does not yet have signed root. Otherwise publish your DS to registrator - DS will be generated together with keys.

Slave NSD will axfr whatever your master serves, so that's an easy part.

DNS Curve?

Sat Feb 12 05:34:11 2011 Upd.: Fri Aug 16 21:35:53 2013
© ruff 2011