Tag: DNSSEC

  • DNSSEC: Beware during algorithm transitions

    DNSSEC: Beware during algorithm transitions

    DNSSEC is cool. It easily adds security to probably the most important enabling protocol in today’s Internet: No web pages could be found, email delivered, or instant message received, without the Domain Name System (DNS). DNSSEC also enables DANE, a step forward for certificates for most applications. Sometimes you want to change a few settings.…

  • DNSSEC made easy: Converting an existing DNS zone to Inline signing with BIND

    DNSSEC made easy: Converting an existing DNS zone to Inline signing with BIND

    DNSSEC — the security extensions to the trusty Domain Name System (DNS) upon which almost all Internet transactions rely — is often considered hard to set up. My own setup has been very dated, using complicated scripts which needed to run after every change to the zone file. There was time to change this. Modern…

  • DNSSEC for .ch domains

    DNSSEC for .ch domains

    This year, all owners of .ch domains need to switch from the DNS registry SWITCH to a new registrar. Getting an overview over these registrars is hard. Thankfully, Marc Wäckerlin has started the road to transparency with a price comparison of Swiss .ch domain registrars. Here, I extend his results with a survey of DNSSEC…

  • Adding your FRiTZ!Box as a “secure” DNS resolver for the fritz.box pseudo-domain

    Adding your FRiTZ!Box as a “secure” DNS resolver for the fritz.box pseudo-domain

    Your FRiTZ!Box maintains a useful list of names of machines in your local network in its pseudo-domain fritz.box, based on DHCP requests and web interface. This information is useful, but adding the pseudo-domain “fritz.box” to your own DNS hierarchy is no longer straightforward in the days of DNSSEC. Here is how to include it into…

  • DANE: The CA game changer

    DANE: The CA game changer

    Securing the Internet is important. However, many design decisions are broken: For example, encrypted web pages are considered less secure than unencrypted pages, even outright dangerous, unless you regularly pay a lot of money to certificate authorities, which have shown to make the Internet less secure. The new kid on the block, DANE (DNS-based Authentication…

  • How to create DNSsec DANE TLSA entries

    How to create DNSsec DANE TLSA entries

    Rationale One of the most promising features for DNSsec is the ability to tell a client which certificate to expect when connecting via Transport Layer Security (TLS). RFC 6698 specifies how TLS Authentication information can be put into DNSsec. So when you ask for the IP address of the server, you can simultaneously obtain the information which…