How to be DNSSECure?
When I stumbled upon this site http://www.dnssec-or-not.org ,which tests if your DNS resolver is DNSSEC enabled, and was notified by a sad bald Star Trek guy that I was not DNSSECure, I started wondering how I could make that poor Star Trek guy happy?
The majority of people use the name server automatically provided by either their ISP at home or their company at work via DHCP.
A while ago I set up the BIND name server that comes with OSX and told the resolver on my Macbook pro to use that name server instead of the one provided by DHCP. This means that I don’t have to rely on the administrator of the DHCP provided name server to implement DNSSEC to be able to be DNSSECure, I can just do that myself. Great news.
I then started by reading this Men and Mice knowledgebase article, which describes how to enable DNSSEC validation on BIND name servers.
As I read that I realized that the version of BIND that comes with OSX by default was kind of old, 9.6.0. So I decided to upgrade to the latest and greatest BIND 9.7.2-P2. The reason for this is mostly the automatic updates of the trust anchors offered by BIND 9.7 and newer, making my life easier in the future as the lazy administrator of my own name server.
To upgrade BIND I decided it would be easiest to download the binaries built by Men and Mice for Mac OSX. Then after executing the following sequence of commands (as root):
launchctl unload /System/Library/LaunchDaemons/org.isc.named.plist
tar -xzf bind-9.7.2-P2-binary-intel.tar.gz -C /
launchctl load /System/Library/LaunchDaemons/org.isc.named.plist
BIND had been upgraded to version 9.7.2-P2, as simple as that.
Then all I did to my configuration was to add “dnssec-validation yes;” to the options statement and the following managed-keys statement at the end of named.conf
"." initial-key 257 3 8
where I obtained the <KEY> used in this managed-keys statement by querying for the DNSKEY record of the root zone by executing:
It’s of course important to manually verify the <KEY> against the hash available on IANA website with the procedure given in the knowledgebase article.
After restarting the BIND named service I expected the poor bald Star Trek guy to start smiling on www.dnssec-or-not.org. But instead of only smiling, the Star Trek guy was transformed into a hairy and smiling reporter from Kazakhstan, giving two thumbs up.
Apparently I’m now DNSSECure! And it wasn’t even that difficult, was it?