For engineers and administrators
DNS is an open system based on shared responsibility. This has been an important prerequisite for the rapid spread of the internet across the globe. But it also entails that the quality of the service is dependant on each and everyone who is operating DNS servers on the internet. At IIS, we strive for a robust internet infrastructure with a high-quality domain name system.
In order to help engineers and administrators to increase quality in their part of the system IIS has, among other things, developed the DNSCheck tool. We also perform a health check of the .se domain every year and produce a report on this. Furthermore, we actively work for spreading DNSSEC, the security extensions to DNS which stops abuse like cache poisoning.
In the subsections here, you who are responsible for DNS operations can find useful information and tools that help you sustain a high service quality.
Together with Afnic, IIS has developed the DNS testing tool Zonemaster. The goal is that the partnership will result in Zonemaster becoming the de facto standard for DNS tests.
Zonemaster is a program designed to help people to control, measure and hopefully better understand how the DNS, domain name system, works.
How it works
Zonemaster consists of three main parts: The motor (the code that performs all tests), command line interface (CLI) and web interface. When a domain (also called zone) is sent to Zonemaster, the program then examines the domain’s state of health through traversing the DNS from the root (.) to the TLD (top level domain, for example .NET) and finally the DNS servers that contain information about the specific domain (for example, zonemaster.net). Zonemaster also performs many other tests and all of these are documented here: Test Requirements document.
Because Zonemaster is accessible to everyone, it is also possible for anyone to check your domain and also see the test history for your domain. However, there is no way to see who has run a test since the only thing logged is the date when the test was done.
Zonemaster is the result of a cooperation betweenIIS (Registry for the TLDs .se and .nu) and AFNIC (Registry for the TLD .fr and the smaller TLDs belonging to France). More information: http://zonemaster.se/.
The DS record (Delegation signer) is a hash of a public key and is what is stored in the .se zone while the public key is stored in the name server of the domain name holder. The interface provides a possibility to choose which of the public keys (DNSKEY) published in the holders own domain shall be published as DS records within the .se zone and the .nu zone (As well as which keys not to be published).
Managing DS records in the Domain Manager is performed in the view ”Domains”, under the tab ”DNSSEC”. Please, note that the tab is visible only for those domains for which the additional service DNSSEC has been ordered (see above). As a user you choose the keys for which DS records are to be published in the .se zone and the .nu zone by clicking the box for each key.
Subscribe to important information
You can subscribe to important information from email@example.com, including key changes and other important news for .se and firstname.lastname@example.org for .nu. To subscribe, visit: http://lists.iis.se/mailman/listinfo/dnssec-announce
Via the service DNSCHECK IIS give everyone interested the possibility to test their IIS domains with DNSSEC. You find the service here: http://dnscheck.iis.se
ZKT is a simple tool to make key management and administration of DNSSEC for your domains easier. The documentation for ZKT somewhat insufficient and this document is an introduction on how ZKT can be used.
ZKT is a project managed by Holger Zuleger, and the project website is here: http://www.hznet.de/dns/zkt/
Install ISC BIND, the nameserver software. Versions greater than 9.4 is recommended. Recommendation: do not mix the authoritative nameserver function and cacheing resolver in the same instance of BIND.
Add a user and directory structure
- Add a user called zkt with its own home directory for using zkt. Everything in this document will be handled by this user unless stated otherwise.
- Create the directory structure that is going to be used for the zonefiles and its keys. Below is an example of a structure that works well.
$HOME/bin/ contains the programs dnssec-zkt, dnssec-signer och dnssec-soaserial $HOME/zones/ contains all files that are managed by ZKT $HOME/zones/dnssec.conf $HOME/zones/example.se/ contains the files zone.db and zone.db.signed
The directory $HOME/bin/ is the standard installation directory for ZKT.
The zonefile zone.db must contain the line “$INCLUDE dnskey.db”, or else the zone is not going to be signed.
Initially the file zone.db.signed is an empty file. The file works as an indicator for ZKT that the zone is to be signed. When the zone has been signed it is stored in zone.db.signed. In the original file, zone.db, only the serial number changes. You use the file zone.db when you are making changes to the content of the zone.
Compile and install ZKT
Get the source code for ZKT here: http://www.hznet.de/dns/zkt/
When having unpacked the source code files you should edit the file config.h so that it matches the system that ZKT is installed in. You probably have to change the constant BIND_UTIL_PATH depending on where your BIND tools are installed.
After having successfully compiled and installed ZKT with make and make install you could check that the programs dnssec-zkt, dnssec-signer and dnssec-soaserial is installed in $HOME/bin. Copy one of the dnssec.conf files from the example directory to $HOME/zones.
Configure ZKT with a DNSSEC policy
Edit the file dnssec.conf and choose the appropriate values for signing intervals, key lengths, all according to your DNSSEC policy.
KeySetDir can be set to ”.”
Set ErrorLog to the path where the logfile should be stored.
Signing the zonefiles
The command below is run in the directory $HOME/zones and signs all zones in all subdirectories:
dnssec-signer –c dnssec.conf –D . –v –v
The flag -v gives more verbose information about what ZKT is doing.
If this is the first time that the signer is run for a domain all keys are created, both KSK and ZSK. If everything went fine there should be a couple of new files in the zonefiles directories. The file zone.db.signed should be populated by DNSSEC signatures and the current keys.
The signature needs to be renewed periodically. In order to do this you need to create a cron job which might look like this:
dnssec-signer –c dnssec.conf –D $HOME/zones –v –
The entire directory structure for your BIND configuration can be done as in our example, with one subdirectory per domain. Only the directories which has the file zone.db.signed will be processed by ZKT.
When everything works as expected and the keys are published in the .se-zone you probably want to know that everything works as planned. IIS also provides a service called DNSCheck that allows you to check how the delegation in DNS works, and it also has support for DNSSEC. You find DNSCheck here: http://dnscheck.iis.se/
Emergency key rollover
A KSK rollover is done in three phases:
- In the first phase only the KSK is created and the file parent-example.se which contains the old KSK key. Before entering the next phase you must wait for the new KSK to propagate in DNS properly.
dnssec-zkt –ksk-newkey exempel.se.
- In the second phase a file with only the DS record is created. It should immediately be sent to the parent zone for publication. After this you must what until all name servers has published the new key, which means that you have to wait for little bit longer than the TTL for the old key.
dnssec-zkt –ksk-publish exempel.se.
- In the last phase the old KSK key is removed (it changes its file name to a prefix with lowercase “k”) along with the DS record. This is also done after waiting for a while, the new DS record must propagate in DNS.
dnssec-zkt –ksk-delkey exempel.se.
To see the current key status you can use this command:
dnssec-zkt –ksk-status exempel.se.
Today there are not many DNSSEC signing tools on the market, even though there are many vendors working on it. SPARTA provides the tool DNSSEC-Tools: http://www.dnssec-tools.org/
IIS together with Nominet and NLNet Labs are working on an open source tool with crypto hardware, read more about that project here: http://www.opendnssec.se/
If you have further questions regarding DNSSEC, please contact IIS Registry, Phone: +46-8-452 35 80, e-mail: email@example.com