Author Topic: Anyone using DNSSEC?  (Read 747 times)

bill

  • Devil's Avocado
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1281
  • Avast!
    • View Profile
    • Email
Anyone using DNSSEC?
« on: March 29, 2018, 08:34:20 AM »
Have any of The Core bothered setting up DNSSEC for their domains?

I've been reading articles that range from "It's the future of DNS" to "Forget about it". Just wondering if anyone here had experience they could share. Before I invest the time and money I wondered if it was even worth my time for the average site. I could see the benefits if I was running the PayPal site, but I doubt the sites I'm running would be the type that require secure DNS.

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 4444
    • View Profile
Re: Anyone using DNSSEC?
« Reply #1 on: March 29, 2018, 02:46:03 PM »
Unfortunately, same experience here. Research. Get confused. Decide that if I'm not worried even about PCI compliance let alone state secrets, I'm going to wait

bill

  • Devil's Avocado
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1281
  • Avast!
    • View Profile
    • Email
Re: Anyone using DNSSEC?
« Reply #2 on: March 29, 2018, 09:47:00 PM »
Yikes! This is expensive. My registrar gave me an estimate on the upper end of 5 figures (USD) for a year of DNSSEC. Didn't realize it would be that much. That's going to be hard to justify.

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 4444
    • View Profile
Re: Anyone using DNSSEC?
« Reply #3 on: April 16, 2018, 08:24:08 PM »
So I finally looked into this a bit more after analyzing a few sites with Hardenize
https://www.hardenize.com/

Turns out this is not hard or expensive.

You can enable it for free via Cloudflare
First turn it on
https://www.cloudflare.com/dns/dnssec/

Then set it up on your registrar (in my case Namecheap)
https://support.cloudflare.com/hc/en-us/articles/209833347-How-to-add-a-DS-record-to-Namecheap

Or set it up on Namecheap for 40 cents per month

It comes with Namecheap Premium DNS, which is $4.88/year
https://www.namecheap.com/support/knowledgebase/article.aspx/9723/2232/managing-dnssec-for-domains-pointed-to-premium-or-basicdns
https://www.namecheap.com/security/premiumdns.aspx

Or set up your own BIND server for whatever the server costs ($5/month for the slave and master = $10/month).
https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2

In my case, I'm on the Cloudflare + Namecheap option. When I run it through a tester,
https://dnssec-analyzer.verisignlabs.com

 I get this (see attached image - all tests pass)







bill

  • Devil's Avocado
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1281
  • Avast!
    • View Profile
    • Email
Re: Anyone using DNSSEC?
« Reply #4 on: April 16, 2018, 10:54:51 PM »
Interesting. This particular registrar doesn't provide DS records unless I move to a super expensive DNS tier. I may need to point to a 3rd party DNS provider...if that would even work. To the best of my knowledge to get a full DNSSEC stack you'd need registrar-level keys to sign the root, so that might not even be an option.

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 4444
    • View Profile
Re: Anyone using DNSSEC?
« Reply #5 on: April 17, 2018, 12:07:18 AM »
To the best of my knowledge to get a full DNSSEC stack you'd need registrar-level keys to sign the root, so that might not even be an option.

That is correct. Your registrar and your DNS provider must be able to exchange the hash, I suppose very roughly like a TLS handshake (or probably more like a DKIM verification actually).

So if you can't set the hash, specify the hash schema and algorithm etc at the registrar, there's no point in doing anything at the DNS level. In fact, I think that might just serve to make your site inaccessible, because the hash check would fail and security conscious browsers would block the site.