I have a beginner question about DNSSEC. I have much experience with TLS and cryptography-stuff and would like to try out this new technology. I have googled very much about this but I haven't found useful information for me. I think one confusion in information gathering is that "Debian howto DNSSEC setup" can mean "How to USE DNSSEC for resolving" OR "How to secure your domain with DNSSEC". I am searching the second.
I am running a Debian Squeeze server with root privileges which has a domain name ending with ".de" (which is already signed by the root zone). The network interface at this server uses the gateway IP (DNS resolver?) of the datacentre the server is running on.
My domain is hosted at freedns.afraid.org , where I can add DNS RRs for my domain. They are currently NOT capable of adding DNSSEC RRs, but I am bugging them to support this soon. 😉
My simple question is: How do I setup DNSSEC on Debian? Resp. who have I ask to?
As far as I understand, all I have to do is to run dnssec-keygen on my Debian server and then add the key to my DNS-provider as DNSSEC RR. (And change it every 30 days?)
I have looked at this http://www.isc.org/files/DNSSEC_in_6_minutes.pdf but it looks like you have to be the owner of a ZONE, so I don't think this applies to me. Who needs to sign my domain? My DNS-provider or my zone (DeNIC) or can I do it myself?
Any help is very appreciated!
Best Answer
Background: DNSSEC in reality is couple of security keys and several DNS records that should exist in addition to your normal DNS records. Those reside in two places:
Private keys themselves can actually be stored anywhere (or even deleted after they used to sign all that have to be signed), but normally they will also reside somewhere on the domain authoritative server.
Now, the answer to your question depends on how your DNS provider will implement DNSSEC support.
In simpliest (for you) scenario, DNS hosting will do all the work (creating KSK and ZSK keys, publishing DNSKEY records, signing and automatically resigning zone file with RRSIG and NSEC/NSEC3 records, and preparing DS key that you will send to your registrar).
(As you see it requires support not only from your DNS hosting but also from your registrar. ICANN maintains list of DNSSEC supporting registrars)
You in this case will only have to copy DS key provided by your DNS hosting and send it to your registrar (hopefully via web interface or by any other means that your registrar supports).
P.S. As you see, the whole process have nothing to do with your computer(s) nor with any OS which you run, be it debian or windows, heaven forbid.