Mobile app version of vmapp.org
Login or Join
Correia994

: What is needed to add DNSSEC to my site? What is needed to add DNSSEC to my site? Is it like HTTPS/SSL that I have to buy a certificate, or can I generate one myself to use? Is there

@Correia994

Posted in: #Dns #DnsServers #Free #SecurityCertificate

What is needed to add DNSSEC to my site?

Is it like HTTPS/SSL that I have to buy a certificate, or can I generate one myself to use? Is there any free way I can use DNSSEC or do I have to pay for this service? E.g if I set up my own DNS servers, or if there is any free nameservers with DNSSEC.

If I use my web hosts nameservers, I can buy DNSSEC from them for per year.

10.03% popularity Vote Up Vote Down


Login to follow query

More posts by @Correia994

3 Comments

Sorted by latest first Latest Oldest Best

 

@Kimberly868

There are two separate elements to make DNSSEC work.


Generate keys and sign the DNS records.
Put the hash of the key in your parent zone (.se for example.se) via the DS record.


The latter is possible with .se and a growing number of other TLDs (refer to DNSSEC deployment on wikipedia or subscribe to the dnssec-deployment mailing list).

In regards to the DIY part of the question: there are quite a few ways to implement DNSSEC for your zone. Current DNS servers already come with DNSSEC support, but still, you have to do the above steps. If you really want to do it yourself, you can use the Bind Tools (keygen and signzone) or something like the OpenDNSSEC suite.

There are also some providers that offer DNSSEC in their portfolio, but usually you will have to transfer your domain to them or use something like DNSSEC in the middle. You might want to have a look at the recently published Phreebird by Kaminsky which sits right in front of your normal DNS server and performs signing. I would recommend exanames which is designed to do as much of the work related to DNSSEC as possible, but I am biased, because I am one of the developers.

10% popularity Vote Up Vote Down


 

@Correia994

After some more research I have found an answer.

DNSSEC protects against DNS cache poisoning. See About the Kaminsky bug for more information.

DNSSEC seems to be an extra service provided by the registrars. At least for .se I haven't found anything about other top domains.

From DNSSEC – The path to a secure domain:


Today, .SE’s DNSSEC service is an addition offered by many registrars (i.e. resellers of domain names). It is the only way to get a secure domain that cannot be subject to attacks where the answers to DNS queries are falsified. Are you interested in securing your own web and e-mail address, please turn to your registrar for more information. If you are unsure whether or not your domain is using DNSSEC, you can easily find out completely free of charge at www.kaminskybug.se/.

10% popularity Vote Up Vote Down


 

@Ogunnowo487

If you don't know what DNSSEC is, then it probably doesn't apply to you. It's something that people running DNS servers have to implement. So that means your webhost and your ISP and your users' ISPs. If they haven't already deployed DNSSEC, then there's not much you can do about it.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme