Carsten Strotmann

Preparing for DNSSEC: Signing your zones

Three DNSSEC signing solutions covering the most common choices.

Jan 5th, 2011

Recently, I illustrated how easy it is to configure BIND to validate DNSSEC signed zones. Now that is all fine and dandy for caching name servers. They only need to have a proof that the content they are looking up and handing out to their clients is not counterfeit.

But what about the authoritative name servers? They need to provide the proof, so that other DNS servers and clients can validate that its content is valid. In this case the zones on the authoritative servers need to be DNSSEC signed.

How can we do that and what are our options?

We could make BIND do it for us. Until recently that was a tedious and manual process and you’d need to worry about key rollover and maintenance and even know a thing or two about DNSSEC.

With version 9.7.0. and the implementation of RFC 5011 this process was somewhat automated. With a minimal initial effort, a zone can be signed and set up to be resigned automatically on changes without the need for any additional or external tools. Key rollover can also be as simple as periodically creating new keys, either manually or with a scheduled script. BIND will then take care of rolling the keys over when the time comes and resigning the zone with the new keys.

BIND even supports integration with HSM modules, i.e. hardware cryptographic modules that securely generate and store the keys. In fact, all that’s needed for BIND being a fully automatic DNSSEC signing solution is to automatically create the keys when they are needed as well. This is something we anticipate being implemented in the coming versions of BIND.

Have a look at our knowledge base article for a guide on how to use BIND and Men & Mice Suite to automatically sign and manage your DNSSEC zones.

So with BIND being so DNSSEC-able why would we care about other tools at all?

There, added security and full automation quickly come into mind. Secure64 offers a very secure and complete appliance that signs and maintains zones without much if any user intervention after installation.

However, the added security and automation come at a price, but Secure64 is definitely the ultimate DNSSEC solution for those that can afford it or just need the added layer of security without needing to know much about DNSSEC or security for that matter.
These appliances have been hardened against outside intervention as much as possible, making it virtually impossible for outsiders to break into them to do any damage to compromise your DNSSEC signed zones.  
Secure64 servers can be integrated into the Men & Mice Suite, such that all editing of the zones is done with Men & Mice Suite as usual, but the signing of the zones is accomplished in the background by the Secure64 server as soon as anything changes.

OpenDNSSEC is another option. This solution is an open source project with the objective of creating a free and fully automatic DNSSEC signing software. OpenDNSSEC is initially directed at the unsigned zone files that it will then sign and maintain automatically from that point onwards. Included is a daemon that listens for NOTIFYs sent from the DNS servers in order to resign their zones on changes.  
Currently, it will only handle static file based zones, but it will take care of all your signing duties once initially configured, such as key rollover and maintenance.
OpenDNSSEC was designed with HSM modules in mind, fully supporting the PKCS#11 API. For those not wanting to use hardware based modules, a software based HSM (SoftHSM) is also provided. Being used on the .se, .dk, .nl and .uk top-level domains, OpenDNSSEC can certainly be considered a trustworthy and complete DNSSEC signing solution despite its open source nature.

As with the other options, OpenDNSSEC can be integrated to work in harmony with the Men&Mice Suite so that the zones are automatically signed when they are edited with the Men & Mice Suite.

Take a look at our knowledge base article on how to set that up.

I’m sure there are other options for signing DNS zones, such as for signing DNS zones on Windows servers. However, the three DNSSEC signing solutions covered here seem to be the most common choices.

As it turns out, each of those solutions can be integrated with the Men & Mice Suite, making the management of DNSSEC signed zones just as easy as regular zones.