{"id":1614,"date":"2013-01-03T12:58:10","date_gmt":"2013-01-03T11:58:10","guid":{"rendered":"http:\/\/www.ofcourseimright.com\/?p=1614"},"modified":"2013-01-03T13:26:10","modified_gmt":"2013-01-03T12:26:10","slug":"securing-domain-names-whats-it-take","status":"publish","type":"post","link":"https:\/\/ofcourseimright.com\/?p=1614","title":{"rendered":"Securing domain names: what&#8217;s it take?"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignleft\" alt=\"(Courtesy: Joshua Sherurcij) An old padlock \" src=\"http:\/\/upload.wikimedia.org\/wikipedia\/commons\/3\/33\/Early_padlock.jpg\" width=\"140\" height=\"188\" \/>When you see a URL like http:\/\/www.ofcourseimright.com, your computer needs to\u00a0 convert the domain name \u201cwww.ofcourseimright.com\u201d to and IP address like 62.12.173.114.\u00a0 As with everything else on the Internet, there are more or less secure ways of doing this.\u00a0 Even the least secure way is actually pretty hard to attack.\u00a0 While false information is returned by the DNS all the time, usually it&#8217;s benign.\u00a0 There are still some reasons to move to a more secure domain name system:<\/p>\n<ul>\n<li>Attackers are getting more sophisticated, and they may attack resolvers (the services that change names to numbers).\u00a0 Service providers, hotels, and certain WiFi networks are subject to these sorts of attacks, and they are generally unprepared for them.<\/li>\n<li>There are a number of applications that could make use of the domain name system in new ways if it was more secure.<\/li>\n<\/ul>\n<p>Still it&#8217;s good that the current system hasn&#8217;t been seriously attacked, because the way the Internet Engineering Task Force (<a href=\"http:\/\/www.ietf.org\">IETF<\/a>) recommends \u2013 <a href=\"http:\/\/www.rfc-editor.org\/cgi-bin\/rfcdoctype.pl?loc=RFC&amp;letsgo=4033&amp;type=http&amp;file_format=txt\">DNSSEC<\/a> \u2013 is a major pain in the patoot for mere mortals to use.\u00a0 There is some good news: some very smart people have <a href=\"http:\/\/www.rfc-editor.org\/rfc\/rfc6781.txt\">begun to document<\/a> how to manage All of This\u00ae.\u00a0 What&#8217;s more, <strong>some<\/strong> <a href=\"http:\/\/en.wikipedia.org\/wiki\/Domain_name_registrar\">DNS registrars<\/a> who manage your domain names for you will, <strong>for a price<\/strong>, secure your domain name.\u00a0 However, doing so truly hands the registrar the keys to the castle.\u00a0 And so what follows is my adventure into securing a domain name.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignright\" alt=\"http:\/\/upload.wikimedia.org\/wikipedia\/commons\/f\/f0\/DNSSEC_resource_record_check.png\" src=\"http:\/\/upload.wikimedia.org\/wikipedia\/commons\/f\/f0\/DNSSEC_resource_record_check.png\" width=\"310\" height=\"242\" \/><\/p>\n<p>DNSSEC is a fairly complex beast, and this article is not going to explain it all.\u00a0 The moving parts to consider are how the zone signs the information, how the information is authorized\u00a0 (in this case the parent zone), and how the resolver validates what it is receiving.\u00a0 It is important to remember that for any such system there must be a chain of of trust between the publisher and the consumer for the consumer to reasonably believe what the publisher is saying.\u00a0 DNS accomplishes this by having a hash of the signed record for a zone in its parent zone.\u00a0 That way you know that somehow the parent (like .com) has reason to believe that information signed with a particular key belongs to the child.<\/p>\n<p>From the child zone perspective (e.g., ofcourseimright.com), there are roughly four steps to securing a domain with DNSSEC:<\/p>\n<ol>\n<li>Generate zone signing key pairs (ZSKs).\u00a0 These keys will be used to sign and validate each record in the zone.<\/li>\n<li>Generate key signing key pairs (KSKs).\u00a0 These keys are used to sign and validate the zone signing keys.\u00a0 They are known in the literature as the Secure Entry Point (SEP) because there aren&#8217;t enough acronyms in your life.<\/li>\n<li>Sign the zone.<\/li>\n<li>Generate a hash of the DNSKEY records for the KSKs in the form of a DS record.<\/li>\n<li>Publish the DS in the parent zone.\u00a0 This provides the means for anyone to confirm which keys belong to your zone.<\/li>\n<\/ol>\n<p>Steps one through four are generally pretty easy when viewed in a single instance.\u00a0 The oldest and most widely used name server package, <a href=\"https:\/\/www.isc.org\/wordpress\/software\/bind\/\">BIND<\/a>, provides the tools to do this, although the instructions are not what I would consider to be straight forward.<\/p>\n<p>Step five, however, is quite the pain.\u00a0 To start with, you must find a registrar who will take your DS record.\u00a0 There are very few that allow this at all.\u00a0 For &#8220;.com&#8221; I have found only two.\u00a0 Furthermore, the means of accepting those records is far from standardized.\u00a0 For instance, at least one registrar insists that DS records be stored in the child zone.\u00a0 They are only listed in the parent zone once you&#8217;ve used the web interface and selected one of those that can be found.\u00a0 Another registrar requires that you enter the DS record information in a web interface.\u00a0 It turns out this isn&#8217;t perfect either.\u00a0 For one thing, it&#8217;s error prone, particularly as relates to the validity duration of a signature.<\/p>\n<p>This brings us to the real problem with DNSSEC: both ZSKs and KSKs have expiration dates.\u00a0 This is based on the well established security notion that with enough computation power, any key can be broken in some period of time.\u00a0 But this also means that one has to not only repeat steps one through five periodically, but one must do so in such a way that observes the underlying caching semantics of the domain name system. And this is where mere mortals have run away.\u00a0 I know.\u00a0 I ran away some time ago.<\/p>\n<h2>A tool to manage keying (and rekeying)<\/h2>\n<p>But now I&#8217;m trying again, thanks to several key developments, the first of which is a new tool called <a href=\"http:\/\/www.opendnssec.org\/\">OpenDNSSEC<\/a>.\u00a0 OpenDNSSEC takes as input a zone file, writes as output the signed zone, and will rotate keys on a configured schedule. The tool can also generate output that can be fed to other tools to update parent zones, such as \u201c.com\u201d, and it can manage multiple domains.\u00a0 I manage about six of them myself.<\/p>\n<p>The tool is not entirely \u201cfire and forget\u201d.\u00a0 To start with, the tool has a substantial number of dependencies, none of which I would call showstoppers, but do take some effort by someone who knows something about installing UNIX software.\u00a0 For another, as I mentioned, some registrars require that DS records be in the child zone, and OpenDNSSEC doesn&#8217;t do this.\u00a0 That&#8217;s a particular pain in the butt because it means you must globally configure the system to not increment the serial number in the SOA record for a zone, then append the DS records to the zone, and then reconfigure OpenDNSSEC to then increment the serial number again.\u00a0 All of this is possible, but annoying.\u00a0 Two good solutions to this would be to either modify OpenDNSSEC or change registrars.\u00a0 The latter is only an option for certain top level domains.<\/p>\n<h2>Choosing a Registrar<\/h2>\n<p>To make OpenDNSSEC most useful one needss to choose a registrar that allows you to import DS records and also has a programmatic interface, so that OpenDNSSEC can call out to it when doing KSK rotations.\u00a0 In my investigations, I found such an organization in <a href=\"http:\/\/www.gkg.net\">GKG.NET<\/a>.\u00a0 These fine people provide a <a href=\"http:\/\/en.wikipedia.org\/wiki\/Restful_interface\">RESTful<\/a> interface to manage DS records, that includes adding, deleting, listing, and retrieving key information.\u00a0 It&#8217;s really just what the doctor ordered.\u00a0 There are other registrars that have various forms of programmatic interfaces, but not so much for the US three-letter TLDs.<\/p>\n<h2>The glue<\/h2>\n<p>Now this just leaves the glue between OpenDNSSEC and GKG.NET.\u00a0 What is needed: a library to parse JSON, another to manage HTTP requests, and a whole lot of error handling.\u00a0 These requirements aren&#8217;t that significant, and so one can pick one&#8217;s language.\u00a0 Mine was Perl, and it&#8217;s taken about 236 lines (that&#8217;s probably 300 in PHP, 400 in Java, and 1,800 in C).<\/p>\n<h2>So what to do?<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignright\" title=\"Rodin's Thinking Man, courtesy of Wikimedia and Satyakamk\" alt=\"http:\/\/upload.wikimedia.org\/wikipedia\/commons\/thumb\/a\/ad\/ThinkingMan_Rodin.jpg\/180px-ThinkingMan_Rodin.jpg\" src=\"http:\/\/upload.wikimedia.org\/wikipedia\/commons\/thumb\/a\/ad\/ThinkingMan_Rodin.jpg\/180px-ThinkingMan_Rodin.jpg\" width=\"180\" height=\"240\" \/>If you want to secure your domain name and you don&#8217;t mind your registrar holding onto your keys and managing your domain, then just let them do it.\u00a0 It is by far the easiest approach.\u00a0 But tools like OpenDNSSEC and registrars like GKG are definitely improving the situation for those who want to hold the keys themselves.\u00a0 One lingering concern I have about all of this is all the moving parts.\u00a0 Security isn&#8217;t simply about cryptographic assurance.\u00a0 It&#8217;s also about how many things can go wrong, and how many points of attack there are.\u00a0 All of this proves is that while DNSSEC itself can in theory make names secure, in practice, even though the system has been around for a good few years, the dizzying amount of technical knowledge to keep the system functional is a substantial barrier.\u00a0 And there will assuredly be bugs found in just about all the software I mentioned, including Perl, Ruby, SQLite, LDNS, libxml2, and of course the code I wrote.\u00a0 This level of complexity is something that should be further considered, if we really want people to secure their name to address bindings.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When you see a URL like http:\/\/www.ofcourseimright.com, your computer needs to\u00a0 convert the domain name \u201cwww.ofcourseimright.com\u201d to and IP address like 62.12.173.114.\u00a0 As with everything else on the Internet, there are more or less secure ways of doing this.\u00a0 Even the least secure way is actually pretty hard to attack.\u00a0 While false information is returned &hellip; <a href=\"https:\/\/ofcourseimright.com\/?p=1614\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Securing domain names: what&#8217;s it take?&#8221;<\/span><\/a><\/p>\n","protected":false},"author":172,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[50,87,9],"tags":[460,461,464,465,462,463],"class_list":["post-1614","post","type-post","status-publish","format-standard","hentry","category-complexity","category-internet","category-security","tag-dns","tag-dnssec","tag-domains","tag-internet-security","tag-opendnssec","tag-registrars"],"_links":{"self":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/1614","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/users\/172"}],"replies":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1614"}],"version-history":[{"count":4,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/1614\/revisions"}],"predecessor-version":[{"id":1629,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/1614\/revisions\/1629"}],"wp:attachment":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1614"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1614"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1614"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}