snork.ca ... making kittens cry since 2001

Easy DNSSEC For .ca Domains 2019-09-20


I like the idea of DNSSEC, which for the most part helps to ensure that the replies you get from DNS servers are correct. It helps to minimize the chances of having your DNS hijacked, which would likely be done to force you to visit forged web sites and other services. The problems with DNSSEC are that it isn't very widely deployed, and it is a pain in the ass to deploy. I think a number of people avoid using DNSSEC because if there are problems with setting it up then their whole domain could seemingly disappear until the problem is fixed.

A couple years back I decided to roll out DNSSEC on my domains and found it to be an irritating and disappointing experience. You first need to be using a TLD that is signed (such as .ca) and then you need to find a registrar who supports DNSSEC. The bad news is that even if your registrar does support DNSSEC, it doesn't mean they provide an easy way for you to manage your DNSSEC settings for your domains. Most of them get you to send an email or open a support ticket to manage your DNSSEC entries in the .ca registry. So a couple of years ago I found myself bitching to my registrar about this exact problem. I also bitched to CIRA, but they clearly did not give a shit. So I bounced around to a couple of registrars and finally landed at rebel.ca.

Recently I got my notification about the renewal of my snork.ca domain, and it appears the price at rebel has been jacked to $19. Whether the rate I paid previously was just an introductory rate designed to make me switch, I don't know, but over time (on multiple domains) that adds up. So I logged in to my 10dollar.ca account and noticed a section called DNSSEC settings. So I figured I would try adding DNSSEC to my shorturlbl.ca domain to see how well it works. Here's how it went:

I should start by saying that I already owned the domain and manage DNS for it with a Linux box running BIND. Frankly I think BIND is ugly and painful at times but it is a functional authoritative server with all the components required for reasonably easy DNSSEC deployment. If you do not manage your own DNS it is of course still possible to setup DNSSEC, it just means that your DNS provider has to provide you with a way to sign your zones. If you do run BIND, you just cd to wherever you keep your zone files and:

# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE domain.tld
# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE domain.tld

Obviously you need to replace domain.tld with your actual domain name in the above commands. This will create some key files in your current directory, and those key files should be included in your domain's zone file. You can do this manually or with a script like this:

for key in `ls Kdomain.tld*.key`
do echo "\$INCLUDE $key">> domain.tld.zone
done

The end result is that your zone file should now have a couple of include lines at the bottom like this:

$INCLUDE Kshorturlbl.ca.+007+10319.key
$INCLUDE Kshorturlbl.ca.+007+39720.key

Next you need to sign your zone (don't forget to increase your serial) with something like this:

dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o domain.tld -t domain.tld.zone

You may find that installing the haveged package makes this go a little quicker. Once your zone is signed, you should now find a couple new files for your zone. You'll have dsset-domain.tld. and domain.tld.signed. You'll want to go to your BIND configs and tell it to use the new "signed" zone file like so:

zone "shorturlbl.ca" IN {
  type master;
  file "shorturlbl.ca.zone.signed";
  allow-transfer { blah blah blah; };
  also-notify { blah blah blah; };
  allow-update { none; };
};

... and now get BIND to start using the new signed zone.

rndc reload domain.tld

Finally, the last step is to give your registrar the dsset, which they use to update the .ca (or whatever TLD) registry. In the case of 10dollar.ca, you can now do that directly from their web interface without having to open tickets or send emails. To see what your DS keys are, look at the contents of the dsset-domain.tld. file that was created when you signed your zone. It should look something like this:

cat dsset-shorurlbl.ca. shorturlbl.ca. IN DS 39720 7 1 B7582955C7901CACA15977D36C4167913230D98E
shorturlbl.ca. IN DS 39720 7 2 93C010BD6CDE93325D62E36B59801A65EE0C632E77A0EDFEA46D73C4 D4856446

Then in the web interface:

10dollardnssec 10dollar.ca web interface.

See how neatly those macth up with the dsset from above? Now you can go to a DNSSEC checker like the one at Verisign and pump in your domain name to see if your DNSSEC is deployed correctly. At first it should show you that your DS records do not exist but should show you the rest of your DNSSEC related records. As soon as the DS records are propogated from 10dollar.ca to the .ca registry the test should show all green.

Made using Notepad++ & FastStone. Hosted on Devuan with nginx & php. Powered by North Korean mushrooms.