DNSSEC 101 – intro how it works/my war stories
Session Topic: DNSSEC 101 (Intro: How it works? My War Stories!)
Thursday 1J
Convener: Jim Fenton
Notes-taker(s): Jim Fenton
Tags: DNSSEC, DNS, Security, Certificates
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
DNSSEC is a mechanism for cryptographically signing records in DNS to certify that they are authentic. Jim Fenton related his recent experience deploying DNSSEC, starting with verification of DNSSEC signatures and on to signing a domain using DNSSEC.
One of the issues with DNSSEC is that it’s largely transparent to the user, so its benefit is not evident. One way to check the use of DNSSEC is to use a browser plug-in such as DNSSEC Validator.
DNSSEC doesn’t directly replace certificates, etc. in certifying identity, but can be used with new technologies like DANE to secure other information that might be stored in DNS.
Resources:
DNSSEC Validator: http://www.dnssec-validator.cz
Internet Society Deploy360: http://www.internetsociety.org/deploy360/dnssec/
Jim’s war stories:
- https://altmode.wordpress.com/2014/04/09/adventures-with-dnssec-part-1-checking-signatures/
- https://altmode.wordpress.com/2014/04/17/adventures-with-dnssec-part-2-signing-my-domain/
OnTheMedia story about signing the root the domain: