Take DNS under control with DNSSEC
In the first part I’ve shown the simple way
to manage DNS with dnscontrol.
However, I started the migration not only to consolidate all domain configs in one place,
but also to apply best practices in their management.
CAA record
DNS was developed quite long ago. It was designed to be distributed, but without security in mind. It just wasn’t an issue back then.
The same with HTTP.
Only in recent years, websites have become HTTPS by default.
HTTPS requires a valid certificate issued by some trusted Certificate Authority.
To prevent unauthorized CA from issuing certificate for a domain,
one may use a CAA DNS record specifying allowed authorities.
DNSSEC
However, unless the DNS records themselves are verified,
it doesn’t prevent malicious actors from forging them, including the CAA record.
Here comes DNSSEC.
The main idea behind it is to sign DNS records, so that any client may verify that they are not changed as a part of MITM attack.
Not every DNS provider supports DNSSEC, unfortunately. That was one of the reasons for me to change the DNS provider in the first place.
deSEC
I chose deSEC – a free DNS provider built with security in mind to promote DNSSEC.
Since it is fully supported by dnscontrol migration there was a breeze.
deSEC is hosted in Germany and supported by non-commercial organization. If you decide to use their services, please consider donating. These donations are tax-deductible in Germany.
Signing keys publication needed to be done manually, but that was not a big issue for me.
However, I wish dnscontrol would be able to handle it.
Verification
To verify the security of your zone, you may use DNSSEC Analyzer. Here, for example, is a report for kropp.name.
And with that, I consider my DNS setup complete and future-proof.
This is post 12 of #100DaysToOffload
Subscribe to all blog posts via RSS