open secondary menu close secondary menu


(Course code: DNSSEC-B)

Trainer outlined real-world problems & solutions

David Hulama

Dell Inc

Location Date Price
On site at your office on request on request Book a group training

General description

This 3-day DNSSEC Workshop is a classroom style course with lecture and hands-on labs. Limited seating. It is designed for Network and SysAdmin veterans who need to know how to deploy DNSSEC for their organization. Students are expected to be familiar with the UNIX environment (file structure, basic utilities) and with text editing in UNIX (vi or nano editor). A basic knowledge of TCP/IP addressing is also helpful but not required.

This course was previously called: DNSSEC Technical Workshop – Implementation and Deployment


  • DNS Fundamentals 101
    • A quick recap of DNS Fundamentals
    • DNS Namespace
    • Delegation
    • Nameserver
    • DNS Message Format
    • Name Resolution
    • Caching
    • DNS Practice
    • Resource Records
  • DNSSEC Theory and History
    • What is wrong with the good old DNS?
    • Spoofing
    • Man in the Middle Attacks
    • Betrayal of a trusted name server
    • Attack on authoritative data
    • The danger of Denial of Service Attacks
  • DNSSEC Introduction
    • DNS and DNSSEC History
    • TSIG and DNSSEC
    • Basics of Public Key Cryptography
    • DNSSEC Technical Overview
    • DNSSEC Record Types
      • DNSKEY (DNS Key Material)
      • RRSIG (Resource Record Signature)
      • NSEC (Next Secure)
      • DS (Delegation Signer)
    • Zone Signing Key (ZSK) and Key Signing Key (KSK)
    • the DNSSEC chain of trust
  • DNSSEC Infrastructure Requirements
  • Signing tools
    • Authoritative DNS Servers
    • Caching/Resolving DNS Servers
    • Middleboxes (Firewalls, Load-Balancer, NAT ...)
    • Application Requirements
  • DNSSEC Deployment
    • DNSSEC signing with BIND 9.6-ESV
    • creating keys
    • Adding keys to a zone
    • Signing a zone
    • Test the setup
    • Getting DS record in the parent zone
    • Resigning a zone
    • Maintenance: Signature Expiration
    • Lab: DNSSEC zone signing
  • DNSSEC with BIND 9.7+
    • Managing key timing values
    • DNSSEC automation
    • Dynamic zones and DNSSEC
    • Managing zone content with nsupdate
    • Lab: DNSSEC with BIND 9.7+
  • DNSSEC Validation
    • DNSSEC in DNS Messages
    • The AD and CD flags
    • DNSSEC Name resolution
    • DNSSEC Lookaside Validation (DLV)
    • Validating DNSSEC in the Internet
    • DNSSEC validation in Web-Browsers (Firefox, IE, Chrome)
  • A validating caching only configuration for BIND 9
    • BIND as a caching server
    • Named.conf setup (ACL, rndc, statistics channel)
    • Getting the root-anchor
    • Verifying the root zones key
    • DNSSEC validation setup (BIND 9.6-ESV)
    • DNSSEC validation setup (BIND 9.7.0+)
    • Lab: DNSSEC validation with BIND
  • Signing zones with NSEC3
    • The NSEC3 Record
    • NSEC3 zone signing
    • Salt and Iterations
    • NSEC3 opt-out
  • DNSSEC Key rollover
    • The need of key rollover
    • Key rollover with pre-publication
    • Key rollover with double-signing
    • Emergency key rollovers
    • Algorithm Rollover
    • Switching DNS Operators
      • Operator rollover (cooperative)
      • Operator rollover (non-cooperative)
    • Lab: ZSK and KSK rollover
  • DNSSEC tools and troubleshooting
    • DNSSEC troubleshooting with DIG
    • Lab: find the cause of DNSSEC lookup failures
    • Other DNSSEC tools (drill, unbound-host, dnssec-tools, zonecheck, OpenDNSSEC)
    • DNSSEC monitoring tools
  • DNSSEC in BIND 9.8 and 9.9
  • Hardware Security Modules (HSM)
    • The role of a HSM
    • Selection criteria for HSM
    • SoftHSM - an HSM Emulator
    • Using BIND with SoftHSM