SUBSCRIBE

The Men & Mice IP Address Management blog has educational, informational as well as product related material, both videos and articles for everyone and anyone interested in IP Address management, DNS, DHPC, IPv6, DNSSEC and more....

RSS feed Subscribe twitter Subscribe Facebook

Subscribe via E-mail

Your email:

Try the Men & Mice Suite

 

Ask the Experts!

Do you have a question about DNS, DHCP, IP Address Management, DNSSEC, IPv6 or anything really?

Then go ahead, Ask our Experts! It's FREE
The best thing is, you don't have to be a client of Men & Mice to ask a question!!

The Men & Mice Blog

Current Articles | RSS Feed RSS Feed

How to be DNSSECure?

  
  
  
  
DNSSEC

When I stumbled upon this site http://www.dnssec-or-not.org  ,which tests if your DNS resolver is DNSSEC enabled, and was notified by a sad bald Star Trek guy that I was not DNSSECure, I started wondering how I could make that poor Star Trek guy happy?

The majority of people use the name server automatically provided by either their ISP at home or their company at work via DHCP. 

A while ago I set up the BIND name server that comes with OSX and told the resolver on my Macbook pro to use that name server instead of the one provided by DHCP. This means that I don’t have to rely on the administrator of the DHCP provided name server to implement DNSSEC to be able to be DNSSECure, I can just do that myself. Great news. 

I then started by reading this Men and Mice knowledgebase article, which describes how to enable DNSSEC validation on BIND name servers. 

As I read that I realized that the version of BIND that comes with OSX by default was kind of old,  9.6.0. So I decided to upgrade to the latest and greatest BIND 9.7.2-P2. The reason for this is mostly the automatic updates of the trust anchors offered by BIND 9.7 and newer, making my life easier in the future as the lazy administrator of my own name server. 

To upgrade BIND I decided it would be easiest to download the binaries built by Men and Mice for Mac OSX. Then after executing the following sequence of commands (as root):

launchctl unload /System/Library/LaunchDaemons/org.isc.named.plist
tar -xzf bind-9.7.2-P2-binary-intel.tar.gz -C /
launchctl load /System/Library/LaunchDaemons/org.isc.named.plist

BIND had been upgraded to version 9.7.2-P2, as simple as that.

Then all I did to my configuration was to add “dnssec-validation yes;” to the options statement and the following managed-keys statement at the end of named.conf

managed-keys {
   "." initial-key 257 3 8
    "<KEY>";
};

where I obtained the <KEY> used in this managed-keys statement by querying for the DNSKEY record of the root zone by executing:

dig DNSKEY .

It’s of course important to manually verify the <KEY> against the hash available on IANA website with the procedure given in the knowledgebase article.

After restarting the BIND named service I expected the poor bald Star Trek guy to start smiling on www.dnssec-or-not.org. But instead of only smiling, the Star Trek guy was transformed into a hairy and smiling reporter from Kazakhstan, giving two thumbs up.

Apparently I’m now DNSSECure!  And it wasn’t even that difficult, was it?

Tags: 

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics