Making real use of DNSSEC: DANE

By now we can safely say that DNSSEC as a standard is here to stay. It may not be pretty or completely practical, but it is possible to implement it relatively easily. DNSSEC provides a little bit more assurance on the integrity of the DNS query results. This extra assurance does enable some other interesting applications, to increase the integrity of other systems. This is done through the standard called DANE: DNS-based Authentication of Named Entities. In this post I’ll walk through a couple of examples.

Update 23/7/2015:  Added email TLSA record instructions

Update 23/7/2015:  Corrected email TLSA record instructions

Continue reading

DNSSEC Key Rollovers Explained

In an earlier post I explained the idea of DNSSEC how to generate keys and sign your DNS zone. In this post I will walk you through the rollover methods as described in RFC 6781. You should understand the rollover process so that you can securely run your zone. This way you can  replace the key in a secure manner when necessary, without service interruptions.

In the earlier post I explained that there are two sets of keys for most DNSSEC signed zones, a Key Signing Key (KSK) and a Zone Signing Key (ZSK). The ZSK is used most often, and should be replaced about yearly, and is also the easiest to replace. Once that process is explained, it is easier to understand how to rollover a KSK also. Continue reading

Making DNSSEC More Accessible

I have previously written about DNSSECs “failure”. I tried to draw attention to the absence of simple documentation for implementing DNSSEC properly using simple tools. The steps to implement it are not that difficult, but without proper tools and documentation, nobody is going to find out. My previous post became subject of heated debates, and I have also been invited by NLNetLabs to discuss how we can improve the situation. The post below is meant to shed some light on the matter.

Continue reading

Improving Dnsmasq

Besides having critique on DNS I also try to improve things, both for DNS as well as for the Internet as a whole. Just a few weeks ago I contacted the Dnsmasq community to improve it. The new release is available now for testing and hopefully released soon.

Continue reading