DNSSEC is a set of security extensions to DNS that provides the means for authenticating DNS records. It allows preventing malicious activities like cache poisoning, phishing, and other attacks.
The purpose of DNSSEC is to protect Internet clients from counterfeit DNS data by verifying digital signatures embedded in the data.
DNSSEC creates a specific record with a digital signature for every resource record. The key peculiarity of a digital signature is the use of public key cryptography to ensure that DNS records are authentic. Every member of the system can check the signature, however only those having the secret key can sign new or modified data.
Public keys are published as a DNSKEY resource record along with other resource records. A sequence of records that identifies public keys is called a chain of trust. The key authenticity is checked with its digests (fingerprint, hashes) that are sent to the parent zone as DS-records. Digests of the parent zone public keys are also sent to the corresponding parent zones. The chain of trust is built up to the root zone which public key and digests are published in the official documents of ICANN.
DNSSEC uses 2 types of keys:
Normally, KSK uses larger values of the key length and update period than ZSK. A ZSK-key is used every time the domain zone is modified or updated. Using a short key makes it easier to sing a domain, and a short update period ensures a high level of security. KSK-keys are used only to sign the keys, that's why they are used not so often as ZSK. A long key does not affect efficiency. Besides, it is safe to specify a long update period for a long key. A long update period of KSK-keys allows sending DS-records to the parent zone more rarely.
To avoid DNSSEC key compromising, the keys are updated. According to the standard practice, the keys are updated in steps so that slave servers and DNS caching servers have enough time for synchronization with the primary DNS server.
KSK key update procedure includes the following steps:
ZSK key update procedure includes the following steps:
DNSSEC can be activated on PowerDNS 3.2 later.
To enable DNSSEC and configure the domain key settings, navigate to Domains → Domain names → select a domain → click Settings → select the DNSSEC support checkbox. For more information please refer to the article DNS server configuration.
When activating DNSSEC protection you need to publish and update the DS-record in the parent zone manually. DNSSEC email notifications will inform you about new DS-records you need to publish.
Navigate to Settings → Email notifications → select the DNSSEC notifications checkbox.
DNSSEC activation involves several steps:
The maximum DNS TTL must be less than 2 weeks. The default value is 3 hours.
To set the maximum TTL, navigate to Domains → Domain names → select a domain → Records → TTL, sec.
To sign a domain zone, go to Domains → Domain names → select a domain → Edit → enable Sign domain. The system will start a background process to sign the domain zone. KSK and ZSK will be generated according to the specified parameters. When signing the domain zone, you will see the corresponding icon in the "Status" column. When the zone is signed successfully, the icon will change into . You cannot "Edit" or "Delete" the domains during that process.
In a few seconds refresh the "Domain names" page.
Once the system signs the domain zone:
The domain zone is signed, but DS-records has not been published. This function is available for Administrators and Users.
To create a chain of trust, you need to transfer DS-records (or even DNSKEY-records KSK, depending on a registrar) into the parent zone. You can see the information about the main key parameters and their DNSKEY and DS records in Domains → Domain names → select a domain → DNSSEC.
The following data are displayed for every DS-record:
Show DNSKEY — click the button to see a table with DNSKEY-records. The following data are shown for every record DNSKEY-record:
DS-records are sent in one of the following ways:
Once a week, ISPmanager checks DS-records in the parent zone. At least one DS-record for every KSK must be sent. Once completed, the warning in the Status column in Domains → Domain names will change into the icon confirming that the domain is protected with DNSSEC.
If the keys are compromised, you need to sign the domain zone with new keys. To do so, disable DNSSEC protection:
This function is available for Administrators and Users.
To disable DNSSEC navigate to Domains → Domain names → Settings → clear the DNSSEC support check box. Only Administrators can disable this option. For more information please refer to the article DNS-server configuration.