We have covered DNSSEC before. But over the last few month, DNSSEC deployments have increased and yesterday's DNS poisoning diary by Manuel shows that attacks against unsecured zones certainly happen.

I wanted to put together a couple of tips to avoid common errors:

• Patch your DNS server. Make sure you are running a recent version that supports current encryption algorithms. In particular, look for NSEC3 support.
• Review your overall DNS configuration. Clean it up first before implementing DNSSEC.
• Does your registrar have a facility to upload DS records?
• If you are using DNSSEC on a resolver, make sure the root zone's key is kept up to date. Recent versions of BIND support RFC 5011 and can manage key updates for you.
• Remember to regularly re-sign the zones. Signatures are typically valid for a month.
• make sure your DNS server supports EDNS0 (should not be a problem)
• make sure your firewall isn't blocking UDP DNS replies that are larger then 512 Bytes
• pick an algorithm that supports NSEC3 (RSASHA1-NSEC3-SHA1, which is #7, is my preferred one as it appears to be well supported compared to other NSEC3 algorithms)
• Test
• Test
• Test
• only deposit DS records with your parent zone after you completed the prior three steps

Anything I forgot? Please add a comment...

Couple URLs to use as a reference:

http://dnsviz.net/ - Really nice visualization tool.
http://dnssec-debugger.verisignlabs.com/ - thorough test of DNSSEC settings
http://www.dnssec.net - links to standards and tools
https://addons.mozilla.org/en-US/firefox/addon/dnssec-validator/ - Firefox extension to validate DNSSEC
http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml - DNSSEC Algorithm Numbers
http://www.cymru.com/Documents/secure-bind-template.html - secure BIND template. Apply this first.
http://technet.microsoft.com/en-us/library/cc772661%28WS.10%29.aspx - Securing Microsoft DNS

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter