Domain & DNS Management
How to Know If Your DNSSEC Is Working
DNSSEC, the security settings that validate domain query data, is a critical component in defending the domain name system. DNSSEC uses pairs of encrypted public and private keys to validate DNS query data. This is essential to protect clients from forged DNS data that can result from cache poisoning, a man-in-the-middle exploit that can present fraudulent and harmful website content to unsuspecting Internet users.
Fraudulent websites enabled by hijacked DNS can cause organizations and their customers or users significant harm: lost revenue, diminished brand standing, and breach of privacy. DNSSEC is an effective cybersecurity measure when it’s provisioned correctly and maintained over the life cycle of a domain.
National security agencies and IT experts agree: DNSSEC should be a priority for every organization. DNSSEC deployment, however, isn’t easy or simple. Corporate adoption of DNSSEC has been impeded by internal operational issues and external “ecosystem” factors. DNSSEC must be carefully managed and monitored to be effective. External DNS audits routinely confirm that many organizations, under the assumption that their DNSSEC setup is working, in fact have missing or expired configuration elements that invalidate their DNSSEC coverage.
For DNSSEC to operate correctly, required digital cryptographic signatures must be present and valid.
The first is the resource record signature, or RRSIG, provided by the domain holder that identifies a specific DNS entry. If a domain owner neglects to provide the RRSIG, the domain being sought will fail to return a DNS query result.
The second is the delegation signer, or DS record. This cryptographic signature must be enabled at the top-level domain registry to validate the DNS zone file. A domain query will still work if this signature is missing or expired, but the zone file will not be authenticated by DNSSEC.
A missing or expired RRSIG or delegation signer is problematic. Users could be blocked from sites or granted access to domain data that is not valid.
Tools are available that help verify the status of DNSSEC. The Verisign Labs DNSSEC Analyzer, for example, works well for single domain lookups. It’s less useful when analyzing hundreds or thousands of domains because it requires manual process steps for each domain, creating unsustainable work effort for IT. Also, these tools may not analyze the expiration date of DS Keys, which are required to roll annually. DS record validation is misleading if the key has expired. Expired DS records invalidate DNSSEC protection.
How to Test DNSSEC
Checking the status of your DNSSEC setup is a necessary part of DNS management. A fully automated DNS management system can simplify DNSSEC monitoring and remediation. With or without a system, here’s what you need to do to check that DNSSEC is working:
1. Check the Root Zone (or WHOIS record) to verify signatures
Checking the DNS root zone can verify the presence of the RRSIG and DS records on domains. It’s a tedious process, but it must be done regularly. The same information can be found in the public WHOIS record. Verisign’s DNSSEC Analyzer can make this a little easier; you can also conduct Registration Data Access Protocol queries using the Domain Name Registration Data Lookup. Bear in mind that neither method will confirm the validity of DS record dates.
2. Track DS record expiry dates
DS records expire and roll over annually. Because they’re not all issued at once, however, they require renewal throughout the year as each one expires. Expired signatures disable DNSSEC authentication so it’s important to keep on top of these dates. Most lookup tools don’t validate DS record dates, so it must be done separately. Start independently tracking the expiration dates of DS records or better yet, implement a system to auto-roll DS records annually.
3. Limit RRSIG validity
You can partially mitigate the damage from a signature compromise by limiting the validity period of RRSIGs. The DNSSEC implementation guide recommends changing these signatures weekly. Even if hackers manage to compromise a signature, they’ll have difficulty launching a more successful attack because the compromised signature has a limited time to be active. Granted, some attacks can be run quickly and cause damage so it’s best to employ preventive systems to mitigate the risk of compromise. Re-signing RRSIGs weekly creates a heavy administrative burden, but it may be worthwhile for extremely valuable domains to keep the DNSSEC protocol working properly.
4. Consolidate DNS management
Keeping DNSSEC working requires significant time and attention to detail. When companies have hundreds or thousands of signatures in use and relationships with dozens of DNS services, DNSSEC management can be overwhelming or unfeasible owing to the manual effort required. Relying on an integrated platform for all aspects of domain management streamlines the entire effort. A unified admin portal to manage DNSSEC data allows you to quickly assess whether everything is working properly. You can also pre-emptively renew signatures and identify issues that require attention. An integrated platform will eliminate the many manual processes that can cause DNSSEC to fail.
Tasking IT with a heavy incremental workload to manage DNSSEC compliance manually is not a good scenario. An automated system is the only acceptable solution if your organization values a preventive DNSSEC security posture on your digital network.