MAGPRO DNS. DNSSEC FAQ

1. What is DNSSEC?

   It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity.




2. How does DNSSEC work?

   DNSSEC works by digitally signing answers to DNS lookups using public-key cryptography. By checking this, a security-aware DNS resolver can then determine if the answer it received was correct (secure), whether the authoritative name server for the domain being queried doesn't support DNSSEC (insecure), or if there is some sort of error.
   More info:
   http://training.nlnetlabs.nl/Documentation/dnssec_howto.pdf




3. Does DNSSEC support GOST encryption algorithms?

   Yes, at this moment GOST cryptoalgorithms for DNSSEC are included to RFC5933.




4. Is DNSSEC available with certified crypto-products?

   «MagPro DNS» is provided for those who needs to use the certified solution in Russian Federation.
   This product relies upon the «MagPro CryptoPacket 2.0» solution certification of which is now in progress.




5. How can I install OpenSSL 1.0.0?

   Notes on installing and configurind OpenSSL 1.0.0 are available on the page:
   Installation and configuring OpenSSL 1.0.0.

   
   

6. How can I configure my resolver for DNSSEC with GOST support?

   You should use resolvers which support GOST cryptoalgorithms. You may use BIND (with GOST support patch) or Unbound (unmodified) as they support GOST algorithms.
   Notes about installing and configuring of BIND and Unbound are available at pages:
   Installing and using Unbound+LDNS+NSD with DNSSEC and GOST support.
   Installing and using BIND with DNSSEC and GOST support.
   




7. How can I configure DNS server for DNSSEC with GOST support?

   You need a DNS server which supports GOST cryptography. It may be patched BIND (with GOST support patch) or NSD (unmodified). In config file you should enable DNSSEC mode and replace unsigned zone by signed. You'll find more information on the pages:
   Installing and using Unbound+LDNS+NSD with DNSSEC and GOST support.
   Installing and using BIND with DNSSEC and GOST support.




8. What is a trusted key? Where can I get it?

   There are two keys used for signing zone file: KSK and ZSK. Each of KSK and ZSK is composed of two parts: private and public keys. Pivate keys are used to sign and public are used for checking signature.
   KSK is Key Signing Key and used to produce and check digital signatures for public part of ZSK.
   ZSK is Zone Signing Key and used for signing and check all records (except DS) in zone served by DNS-server.
   Signed zone files contain DS records which make resolver to be aware that lower-level DNS-server is trusted by current DNS-server. This makes so called «chains of trust».
   Trusted key is a public part of KSK of DNSSEC enable DNS-server from which starts your chain of trust. This is also called «trust anchor». It is distributed through a website or e-mail.




9. How can I sign a zone?

   For signing a zone you will need to generate KSK and ZSK and then sign the unsigned zone.
   There are two pairs of utilities for this purpuse: dnssec-signzone + dnssec-keygen (from BIND project by ISC) or ldns-signzone + ldns-keygen (from LDNS project by NLnet Labs).
   You can find information on how to use them on this pages:
   Signing a zone with «dnssec-signzone»
   Signing a zone with «ldns-signzone»




10. How can I check that DNSSEC work right?

    For checking the resolver and DNS server there is the dig utility, which is a part of the dnsutils package from BIND DNS-server by ISC, or the drill utility from LDNS project by NLnet Labs. You can find info about how to use them and check DNSSEC at the pages:
    Checking DNSSEC with «dig» utility
    Checking DNSSEC with «drill» utility