Tag Archives: DS

Single DNS Query – Hundreds of Packets

2018-12-05DNS/DNSSEC, MemorandumBIND, dig, DNS, DNSSEC, DNSViz, DS, pcap, WiresharkJohannes Weber

I was interested in how a recursive DNS server resolves DNS queries in detail. That is, not only the mere AAAA or A record, but also DNSSEC keys and signatures, the authority and additional section when testing with dig , and so on. For this I made two simple DNS queries to my recursive DNS server which resulted in more than 100 DNS packets at all. Wow.

In the following I am publishing a downloadable pcap so that you can analyse it by yourself. Furthermore I am showing some listings and screenshots to get an idea of the DNS resolution process.

Continue reading Single DNS Query – Hundreds of Packets →

DNSSEC KSK Emergency Rollover

2018-03-07DNS/DNSSEC, Security, Tutorial/HowtoBIND, delegated zone, delegation signer, dig, DNS, DNS Cache, DNSSEC, dnssec-keygen, DNSViz, DS, Key Rollover, KSK, Public KeyJohannes Weber

In my last blogpost I showed how to perform a DNSSEC KSK rollover. I did it quite slowly and carefully. This time I am looking into an emergency rollover of the KSK. That is: What to do if your KSK is compromised and you must replace it IMMEDIATELY.

I am listing the procedures and commands I used to replace the KSK of my delegated subdomain dyn.weberdns.de with BIND. And, as you might already suggested, I am showing DNSViz graphs after every step since it greatly reveals the current DNSKEYs etc.

Continue reading DNSSEC KSK Emergency Rollover →

DNSSEC KSK Key Rollover

2018-02-26DNS/DNSSEC, Security, Tutorial/HowtoBIND, delegation signer, dig, DNS, DNSSEC, dnssec-keygen, DNSViz, DS, Key Rollover, KSK, Public KeyJohannes Weber

Probably the most crucial part in a DNSSEC environment is the maintenance of the key-signing key, the KSK. You should rollover this key on a regular basis, though not that often as the zone signing keys, the ZSKs. I am doing a KSK rollover every 2 years.

In the following I will describe the two existing methods for a KSK rollover along with a step-by-step guide how I performed such a rollover for my zone “weberdns.de”. Of course again with many graphics from DNSViz (with “redundant edges”) that easily reveal the keys and signatures at a glance.

Note that this blogpost is NOT about the Root Zone KSK Rollover that appears in 2017/2018. It is merely about your OWN zone that is secured via DNSSEC.

Continue reading DNSSEC KSK Key Rollover →

Signing a Delegated Subdomain

2018-02-20DNS/DNSSEC, Tutorial/HowtoBIND, delegated zone, delegation signer, DNS, DNSSEC, DNSViz, DS, KSK, NSEC3, SubdomainJohannes Weber

If you are already familiar with DNSSEC this is quite easy: How to sign a delegated subdomain zone. For the sake of completeness, I am showing how to generate and use the appropriate DS record in order to preserve the chain of trust for DNSSEC.

Continue reading Signing a Delegated Subdomain →

Weberblog.net

IT-Security, Networks, IPv6, VPN, DNSSEC, NTP

Tag Archives: DS

Single DNS Query – Hundreds of Packets

DNSSEC KSK Emergency Rollover

DNSSEC KSK Key Rollover

Signing a Delegated Subdomain