Guidelines

How do I find guides?

DNSSEC HowTo, a tutorial in disguise, 2009 by Olaf Kolkman

Deploying DNSSEC is part of a portfolio of tools that you can use to enhance the security of your system.  This page offers guides to understanding your system, how DNSSEC fits into the larger security framework and some basic how-to materials.  Some of them contain information specific to certain audiences as well as more general discussions.  (Background on the protocol and some of the supporting materials are found at About DNSSEC.)  Check back often.  As experience deepens, we expect to add more resources to this list.

NIST Special Publication 800-81: Secure Domain Name System (DNS) Deployment Guide.  This publication from the US National Institute of Standards and Technology presents an overview of the key protocols and how they are used.

Step-by-Step guides.  SPARTA, Inc. Guides for zone operation using BIND and the DNSSEC-Tools suite.  There are two guides: The first targets DNS security operators.  The second is more detailed and written for users of the dnssec-tools “tool suite”.  Its structured along the lines of the first document but it describes how the different operations can be performed using some of the tools available in the dnssec-tools distribution.

DNSSEC Operational Practices. This Internet Draft targets zone operators but also discusses broader issues in key management.

DNSSEC: DNS Security Extensions, Securing the Domain Name System.  This site provides an in-depth collection of resources relating to DNSSEC, including background, technical papers and specifications, training resources, how-tos and pointers to major DNS-related sites on the Internet.

With the signing of .ORG and other Top Level Domains (TLDs), registrars that provide name service for their customers and other DNS operators are looking for a reasonable set of DNSSEC configuration parameters.  Setting the Parameters (November 2009)provides advice on the values to choose for the configuration parameters associated with DNSSEC that provide good security without causing an undue burden on operators’ name service infrastructures.  The configuration parameters include key sizes and lifetimes, re-signing periods, and time-to-live (TTL) for the records.  Some of these parameters are visible in the zone; others are internal to the operation.

We assume that the zones in question are relatively small and neither need nor would benefit from protection against zone walking.  This assumption is the basis for some of the parameter values, so it’s likely that zones with other attributes (e.g., larger, including non-obvious names) will require different parameters to maintain sufficient security.

All of the configuration parameters are from current experience and are applicable for the near future.   Many of the choices are driven by the need to support DNSSEC during the initial phase of adoption.   Therefore there will likely be changes as the population (recursive resolvers, clients) supporting DNSSEC grows and as we gain experience dealing with the increased resource requirements (CPU, bandwidth) of longer keys and other variables.  In some cases, these choices are at variance with guidance from the U.S. National Institutes and Standards and Technology (NIST).  These differences are noted and explained in the text.  This is a work in progress. Please provide feedback.

DNS Books.  There are several good books that describe both DNS and DNSSEC, including configuration information for popular software.  These include the following:

  • DNS and BIND by Cricket Liu, Paul Albitz.
  • DNS in Action: A Detailed and Practical Guide to DNS Implementation, Configuration, and Administration by A. Kabelova.
  • Pro DNS and BIND by Ron Aitchison.
  1. No comments yet.
(will not be published)