Update: Easy DNSSEC For .ca Domains 2021-11-15
In the last couple of days I was helping someone out with some DNSSEC issues and when we [thought we] were all done they pointed out to me that the DNSVIZ site was complaining about the use of ALGO 7 for the keys. The error message was "DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1)." So I redid the keys for my test domain with a different algorithm and it seems to have worked out. So the first two commands below have been changed from using NSEC3RSASHA1 to ECDSAP256SHA256. So when you submit your DS records for the .ca registry you only need to include the SHA-256 record (the longer one) because if you include both, the SHA-1 entry will be ignored anyways. That should keep DNSVIZ happy. :-)
Easy DNSSEC For .ca Domains 2019-09-20
I like the idea of DNSSEC, which for the most part helps to ensure that the replies you get from DNS servers are correct. It helps to minimize the chances of having your DNS hijacked, which would likely be done to force you to visit forged web sites and other services. The problems with DNSSEC are that it isn't very widely deployed, and it is a pain in the ass to deploy. I think a number of people avoid using DNSSEC because if there are problems with setting it up then their whole domain could seemingly disappear until the problem is fixed.
A couple years back I decided to roll out DNSSEC on my domains and found it to be an irritating and disappointing experience. You first need to be using a TLD that is signed (such as .ca) and then you need to find a registrar who supports DNSSEC. The bad news is that even if your registrar does support DNSSEC, it doesn't mean they provide an easy way for you to manage your DNSSEC settings for your domains. Most of them get you to send an email or open a support ticket to manage your DNSSEC entries in the .ca registry. So a couple of years ago I found myself bitching to my registrar about this exact problem. I also bitched to CIRA, but they clearly did not give a shit. So I bounced around to a couple of registrars and finally landed at rebel.ca.
Recently I got my notification about the renewal of my snork.ca domain, and it appears the price at rebel has been jacked to $19. Whether the rate I paid previously was just an introductory rate designed to make me switch, I don't know, but over time (on multiple domains) that adds up. So I logged in to my 10dollar.ca account and noticed a section called DNSSEC settings. So I figured I would try adding DNSSEC to my shorturlbl.ca domain to see how well it works. Here's how it went:
I should start by saying that I already owned the domain and manage DNS for it with a Linux box running BIND. Frankly I think BIND is ugly and painful at times but it is a functional authoritative server with all the components required for reasonably easy DNSSEC deployment. If you do not manage your own DNS it is of course still possible to setup DNSSEC, it just means that your DNS provider has to provide you with a way to sign your zones. If you do run BIND, you just cd to wherever you keep your zone files and:
# dnssec-keygen -a ECDSAP256SHA256 -b 2048 -n ZONE domain.tld
# dnssec-keygen -f KSK -a ECDSAP256SHA256 -b 4096 -n ZONE domain.tld
Obviously you need to replace domain.tld with your actual domain name in the above commands. This will create some key files in your current directory, and those key files should be included in your domain's zone file. You can do this manually or with a script like this:
for key in `ls Kdomain.tld*.key`
do echo "\$INCLUDE $key">> domain.tld.zone
done
The end result is that your zone file should now have a couple of include lines at the bottom like this:
$INCLUDE Kshorturlbl.ca.+007+10319.key
$INCLUDE Kshorturlbl.ca.+007+39720.key
Next you need to sign your zone (don't forget to increase your serial) with something like this:
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o domain.tld -t domain.tld.zone
You may find that installing the haveged package makes this go a little quicker. Once your zone is signed, you should now find a couple new files for your zone. You'll have dsset-domain.tld. and domain.tld.signed. You'll want to go to your BIND configs and tell it to use the new "signed" zone file like so:
zone "shorturlbl.ca" IN {
type master;
file "shorturlbl.ca.zone.signed";
allow-transfer { blah blah blah; };
also-notify { blah blah blah; };
allow-update { none; };
};
... and now get BIND to start using the new signed zone.
rndc reload domain.tld
Finally, the last step is to give your registrar the dsset, which they use to update the .ca (or whatever TLD) registry. In the case of 10dollar.ca, you can now do that directly from their web interface without having to open tickets or send emails. To see what your DS keys are, look at the contents of the dsset-domain.tld. file that was created when you signed your zone. It should look something like this:
cat dsset-shorturlbl.ca.
shorturlbl.ca. IN DS 39720 7 1 B7582955C7901CACA15977D36C4167913230D98E
shorturlbl.ca. IN DS 39720 7 2 93C010BD6CDE93325D62E36B59801A65EE0C632E77A0EDFEA46D73C4 D4856446
Then in the web interface:
- Click on "My Domains"
- Click the "Gear Icon" for the domain you are working on
- Scroll down to "DNSSEC Records"
- Add in your values and click submit
See how neatly those match up with the dsset from above? Now you can go to a DNSSEC checker like the one at Verisign and pump in your domain name to see if your DNSSEC is deployed correctly. At first it should show you that your DS records do not exist but should show you the rest of your DNSSEC related records. As soon as the DS records are propogated from 10dollar.ca to the .ca registry the test should show all green.