Thursday, October 18, 2012

DNSSEC - Part 4

 This week, we'll look at some of the maintenance tasks involved when running DNSSEC.

1.  Periodic zone re-signing-this will most likely be dictated by a parent zone or organization.  The reason for re-signing is that the longer signed records are available to the public, the greater the chance that your private key components could be cracked.

2.  Key rollover-both the KSK and ZSK should be rolled over to new keys periodically.  This is again due to records being available that may lead to the private keys being cracked.  NIST recommends a 60 day (or so) rollover period for the ZSK and yearly for the KSK.  The ZSK is more exposed to the public, hence the shorter rollover period.

There are two methods for key rollover; double-signing and pre-publish.  Double-signing involves creating a new KSK, ZSK or both and signing with both the old and new keys.  Then after waiting at least a full TTL, re-sign the zone using the new key(s).

Pre-publishing is sending the new public key (s) to your parent and signing with the new key(s) after ensuring the parent has your public keys.

3.  Key management-again, the private keys should be kept secure and offline if possible.

4.  Firewall requirements-DNSSEC greatly increases the size of packets that come back in a query response.  See below:

A normal (non-DNSSEC) dig query for www.fbi.gov.  Note the size of the CNAME line.

;; QUESTION SECTION:
 ;www.fbi.gov.   IN A
 
 ;; ANSWER SECTION:
 www.fbi.gov.  300 IN CNAME www.fbi.gov.c.footprint6.net.
 www.fbi.gov.c.footprint6.net. 230 IN A 198.78.202.118



Now, a DNSSEC-enabled gig for the same record.  Again, pay attention to the
CNAME line.

;; QUESTION SECTION:
 ;www.fbi.gov.  IN A
 
 ;; ANSWER SECTION:
 www.fbi.gov.  259 IN CNAME www.fbi.gov.c.footprint6.net.
 www.fbi.gov.  259 IN RRSIG CNAME 7 3 300 20121211184410 (
     20120912184410 58969 fbi.gov.
     wdRHrnOp53u8b4fs1vhV5YdAChNO/dsFQ3dxgyYoWKox
     nbA8Mez4q7hE0lWTM7JFqNBjF+7U2YKYPkPbMZHa1U0I
     2tbU690IYs3HVxONoiq61jPMz9Ox2693ZFNCl3xtuBCG
     +UWzXpwXFUcgTWz9qefx2kA/7CDZnMqnTq/nKSQ= )
 www.fbi.gov.c.footprint6.net. 189 IN A 198.78.202.118


As you can see, the CNAME that came back from the DNSSEC-enabled query was much larger than the non-DNSSEC-enabled answer.  This can be an issue with firewalls that are not configured to allow packets larger than 512 bytes to pass through.

Another potential firewall issue is that DNSSEC requires both UDP and TCP ports 53 to be opened.

That about covers maintenence.  Next week will be a surprise for us both, since I am about done with DNSSEC...
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)