DNSSEC is coming – Are you ready?
The demand for DNSSEC is growing and by 2015 .SE Registry is planning to have the entire zone signed. Is your platform ready to embrace DNSSEC? Atomia is.
In this blog post we will give you a short introduction to DNSSEC, explaing why it is important and how it works in Atomia.
Background to DNSSEC
One of the essential elements that allowed internet to evolve into its current stated is the Domain Name System (DNS). It is used in almost every interaction using names as identifiers: web browsing, e-mailing and spam filtering, to name a few. DNS was designed to be fast, not secure, and one of the fundamental architectural components of DNS is caching nameservers, that opens up for tampering DNS data (DNS spoofing and DNS cache-poisoning) during look ups.
Some noteworthy domain names that have been subject for attacks:
- CitiCards.com
- AmericanExpress.com
- FedEx.com
- DHL-USA.com
- Sabre.com
This issue has been known for many years and about ten years ago Domain Name System Security Extensions (DNSSEC) was first introduced.
DNSSEC is designed to deal with this and other DNS vulnerabilities and its major objective is to validate the authenticity and integrity of DNS messages in way that tampering with the DNS information anywhere in the chain will be detected.
The biggest drawback of DNSSEC is that it (because of the distributed nature) has to be deployed by a significant number of DNS data providers before it becomes relevant. A big leap forward for DNSSEC was taken in July 2010 when ICANN signed the root zone.
One of the registries who have been pushing DNSSEC is .SE (the registry for the Swedish TLD), their outspoken goal is to have the entire zone signed by 2015.
For registrars/domain resellers this means that they have to become DNSSEC ready sooner rather than later. Signing and renewing zones and reloading the DNS should be fully automated and there should not be a “project” to add support for new TLDs.
This is where Atomia can help, our platform supports full DNSSEC automation out of the box and let you focus on selling hosting plans instead of running integration projects.
How it works in Atomia
With Atomia you will get DNSSEC support out of the box, but for this blog post we will give you the details on what is happening in the background and what components are affected.
Atomia Automation Server
HostedDNSSEC must be set to 1 in the Automation Server Configuration file. This is the default setting.
Atomia DNS
Atomia DNS will generate the needed DNSSEC keys and sync them togeahter with unsigned zone data in PowerDNS. This can be carried out automatically during installation or manually afterwards by running the following commands:
atomiadnsclient --method AddDNSSECKey --arg RSASHA256 --arg 2048 --arg KSK --arg 1 atomiadnsclient --method AddDNSSECKey --arg RSASHA256 --arg 1024 --arg ZSK --arg 0 atomiadnsclient --method AddDNSSECKey --arg RSASHA256 --arg 1024 --arg ZSK --arg 1
PowerDNS
Atomia has chosen to integrate with PowerDNS as name server software for DNSSEC.
PowerDNS will sign domain names dynamically and automatically make sure the signatures always are up-to-date.
Atomia Domain Registration
Atomia Domain Registration will know what key to publish to the TLD zone. The support for DNSSEC will be configured during installation but can also be configured manually afterwards with the following configuration:
hosted_dnssec_default = 1 hosted_dnssec_delegation_filter ns1.someprovider.com hosted_dnssec_delegation_filter ns2.someprovider.com
To add DNSSEC support for a new TLD you simply need to turn the switch on:
supports_dnssec = 1
The bottomline is that once Atomia Cloud Hosting Platform is installed you have everything you need to start selling secure DNS services. Not all registrys/registrars have support for DNSSEC today, but it is just a matter of time. Today, there are 85 signed TLDs (out of 310) and the number is growing.
More about DNSSEC:
http://en.wikipedia.org/wiki/DNSSEC