Arth Paulite, Infrastructure Services Manager at APNIC, delivered a presentation titled 'DNSSEC Made Easy' at PHNOG 2025 held in Manila, Philippines from 7 to 11 July 2025.

1. 1
DNSSEC Made Easy
Arth Paulite
APNIC Infrastructure Services

2. 2
2
What is DNSSEC
• Domain Name System Security Extension
• Protect integrity and authenticity of DNS data
• Uses digital signatures similar to e-mail
• DNSSEC signing
– DNS response is signed by authoritative DNS server
• DNSSEC validation
– DNS resolver verify signature using public key

3. 3
3
DNSSEC Signing
• What is it?
– The process of digitally signing DNS records using cryptographic keys.
– Ensures that DNS data (A, MX, TXT records) hasn’t been tampered with.
• Who does it?
– Domain owners or their hosting providers
• How it works?
– Zone file is signed by their private key
– Copy of public key is published in parent zone
• Purpose
– To prove authenticity and Integrity of DNS data.

4. 4
4
DNSSEC validation
• What is it?
– The process of verifying digital signatures during DNS resolution
• Who does it?
– DNS resolvers ( ISPs or public DNS services like 1.1.1.1, 8.8.8.8 )
• How it works?
– Resolver checks the signature (RRSIG) on DNS records
– It follows the chain of trust from root zone down to domain
– If signature is valid and chain is intact, the data is accepted
• Purpose
– To protect users from getting forged DNS responses

5. 5
5
DNSSEC key components
• Traditional or
– Zone Signing Key (ZSK)
• Used to sign individual DNS records
– Key Signing Key (KSK)
• Used to sign ZSK and KSK
• Delegation Signer (DS)
– Copy of public key (hash) published in parent zone
– Links child zone to parent zone for DNSSEC chain of trust
• Simple
– Combined Signing key (CSK)
• Single key used as KSK and ZSK

6. 6
6
Where do I start
• Use DNSSEC validation everywhere
– Home, work and especially public network
• Test your connection - https://internet.nl
• Use public DNS like 1.1.1.1 or 8.8.8.8
– Running your own DNS Resolver (Opensource)
• BIND - Internet Systems Consortium (ISC)
• Unbound - NLNet Labs
• Knot - CZ.NIC, Operator of .CZ ccTLD
• PowerDNS - Open-Xchange

7. 7
7
PH DNSSEC validation rate

8. 8
8
DNSSEC signing for domain owner
• Use hosting provider with DNSSEC support
– Amazon Route53, Quad9
– Cloudflare free account
• Sufficient basic web caching
• Free DNS hosting
• Automatic DNSSEC signing
• Running your own DNSSEC signer
– Bind
– Knot
– PowerDNS

9. 9
9
Challenges in DNSSEC signing
• DNSSEC policy
– DNSSEC key specs
• algorithm, length
– Key timings
• Key expiry
• Safely retiring used keys
– Signature timings
• Signature validity
• Signature refresh
– Zone timings
– Key rollover
• Regular key replacement
• Generating DS record
• DS record registration to parent
• Operational overhead
– Additional tooling
– Monitoring
– Additional resource, expertise

10. 10
10
Automated DNSSEC policy
Applying default policy
zone ”paulite.art" {
type primary;
file "db.paulite.art";
dnssec-policy default;
};
Bind-9.20 default DNSSEC policy
dnssec-policy "default" {
keys { lifetime unlimited algorithm ecdsa256; };
...
# Key timings
dnskey-ttl PT1H;
publish-safety PT1H;
retire-safety PT1H;
purge-keys P90D;
...
# Signature timings
signatures-refresh P5D;
signatures-validity P14D;
signatures-validity-dnskey P14D;
...
# Zone parameters
max-zone-ttl P1D;
zone-propagation-delay PT5M;
parent-ds-ttl P1D;
parent-propagation-delay PT1H;
};

11. 11
11
Automated DS record registration
• RFC 7344 – Automating DNSSEC Delegation Trust Maintenance
– Child Delegation Signer (CDS)
– Child DNSKEY (CDNSKEY)
– Describes how child zones can signal changes to their DS records in the
parent zone
• RFC 8078 – Managing DS Records via CDS/CDNSKEY
– Framework for registries to safely implement RFC7344
• Registry supporting automated DS record registration
– .ch - Switzerland ccTLD
– .cz - Czech Republic ccTLD

12. 12
Manual DS registration
• Perform DNS query for CDS
% dig cds paulite.art
paulite.art. CDS 31498 13 2 ABA02B050B629888C281BA33B208A188AB1…
• Where:
➢ 31498 - key tag or key ID
➢ 13 - algorithm refers to ECDSAP256SHA256
➢ 2 - refers to hash algorithm RSA SHA256
➢ The last part is the 64 hex digit hash of public key

13. 13
Manual DS record registration
godaddy.com DS registration

14. 14
14
Monitoring – dnsviz.net
. ( root )
.art
paulite.art
Status
paulite.art DNSSEC status

15. 15
15
Summary
• DNSSEC validation
– Can be easily achieve using public DNS
– Opensource resolvers perform validation by default
• DNSSEC signing
– Bind-9.20 “default” policy is a good starting point
• Uses recommended algorithm – ECDSAP256SHA256
• Default timings are within recommended range
• Uses CSK that does not expire
• Creates CDS record letting parent pickup DS if supported
• Built-in tool (RNDC) for key rollover
– References
• ISC knowledge base – https://kb.isc.org
• APNIC Academy - Hands-on DNS/DNSSEC lab exercise

16. 16
16
Thank you!