Deploying DNSSEC: A Case Study

Mark ElkinsSeptember 2015

Posix and Customers

Who we are

Registered in 1992, but active from 1996.

A small Internet Service Provider.

Customers are a mixture of end users and content providers.

End users are now mostly connected to Telkom so use Telkom ADSL and Bandwidth.

Content providers use virtual hosting (Many people on one machine).

Machine hosting and Rack hosting

Posix and Customers

Hosting is at our Data Centre – Midrand (Jhb)100m2 raised floor space17 cabinets – room for 40A Cabinet contains 8 machinesOne machine contains 1500 domains / 150 Websites

Registration Only (Pure Registrar, DNSSEC Aware) DNS Hosting Parked Domains (Trademark protection) Personal domain with Mail Services Web Redirection Various Web Packages

A Posix History of DNSSEC

2006Attended the ZACR Advanced DNS course

Within a month had TSIG implemented

2007Became DNS course instructor(Started running IPv6)

2008/9Implemented DNSSEC

General DNSSEC Principles

Already using BIND BIND responsible for signing via Scripts

KSK – 2048 bits / 1 year (370 days)ZSK – 1024 bits / 1 month (34 days)

Keys overlap by 50% (eg New KSK every 6 months)

NSEC (only option for small zones) or NSEC3

Use DLV (.isc.org) as “root” was not then signed.

Started with Algorithm 5 (NSEC3RSASHA1)Did Algorithm 8 rollover in 2010!

Our two systems (Web/Non-Web)

Vweb Discrete Zones(Web System) (Shell Script)

Settings: Settings:Web → DB → Filesystem Filesystem only

/home/vweb/example.co.za/ /etc/bind/pri/example.co.za/db.example.co.za db.example.co.zanamed.inc dnssec-example.co.zaKey-material md5sum-example.co.za

soa-example.co.zaKey-material

Our two systems (Web/Non-Web)

Simple Activation

Vweb(Web System)

Discrete Zones(Shell Script available at “posixafrica.com”)

Edit the file “dnssec-example.co.za” to contain one of : None NSEC NSEC3

DNSSEC Status @ Posix

Three entities use DNSSEC (Ourselves and two others)The two (former Advanced DNS Students) use Registration only

Use EPP to modify DS (via DNSKEY) Records in COZA

Use Other Web interfaces for Reverse DNS (AFRINIC) andfor a selection of DLV entities.

All Posix gTLD domains (e.g. posix.systems) are signed

Stats: 90 Domains (43 NSEC, 47 NSEC3 / 50 COZA, 40 Other)

Only two “City” domains are signed – One by Posix

DANE / TLSA @ Posix

To generate keys by hand:

Either: openssl s_client -connect www.example.co.za:443Or: cat /home/www/example.co.za/ssl/cert.crt

Followed by: | openssl x509 -outform DER | openssl sha256 (301/web)Or: | openssl x509 -noout -pubkey | openssl pkey -pubin -outform DER | openssl sha256 (311/mail)

For websites with SSL Certificates

If DNS is locally hosted – Option to add/update the TLSARecords for Web and Mail

DNSSEC Validator

By adding the “DNSSEC Validator” plug-in into thebrowser we can see full DNSSEC & TLSA Validation

(Yes, we run IPv6)

DNSSEC – concluding thoughts

TO DO: Upgrade exim to support TLSA records for secure MTA to MTA Connections.

Lean on people to sign ZA & ZA SLD's

HSM's: Hardware is expensive, nothing wrong with SoftHSM

Software: OpenDNSSEC – but fiddly to run on Authoritative server

Resolver: All Recursive resolvers are DNSSEC aware(Authoritative and Recursive server should be separate)

Lock-in: Customers may hesitate moving to non-DNSSECproviders

Future: Simply switch on DNSSEC for everyone?

Success: Zero Failures since switch-on(including protocol rollover)

Questions?

Mark Elkins

mje@posix.co.zamark@posix.systems