7 September 2017 - At ION Conference Durban, Mark Elkins discusses the benefits of DNSSEC and why companies in South Africa need it.

1. Mark Elkins – mark@dns.net.za
DNSSEC - Why We can’t Avoid it
September 2017 – i-Week/ISOC/ION

2. DNSSEC helps prevent attackers from subverting and
modifying DNS messages and sending users to wrong
(and potentially malicious) sites.
When you ask for a Website by name - the correct IP
Address is returned.
There are two sides to DNSSEC
 Signing Zones
 Validating Resolvers
DNSSEC & Why we Can’t Avoid It

3. Where we are in South Africa
Plan approved on 22nd August, 2016
ZA Signed 12th September, 2016
WEB.ZA signed 16th September, 2016
ZA DS records in the Root 9th December, 2016
ORG.ZA and NET.ZA added 8th February, 2017
CO.ZA added just now.
NOM.ZA & EDU.ZA, signed & accept DS records from 2016
DS Records for NOM.ZA & EDU.ZA recently added to ZA
Signing Zones (1)

4. Where we are in South Africa
Most/All older gTLDs are signed
Currently undergoing a root key roll-over
All new gTLDs must be signed at birth
(joburg, durban, capetown, africa)
First started training DNSSEC 2005
Paused in 2015 – 300+ people trained (some more than once)
Will resume in 2018.
The ZACR/DNS EPP system has allowed access to managing
DS records since 2015
Signing Zones (2)

5. So how do I sign my Zone?
 Use a Registrar that offers this service
 Install and use freely available software
1. OpenDNSSEC – does almost everything for you
2. BIND – Does most things – except Key Management
3. Knot DNS – Includes key Management
4. My (old) script – does everything
(You still need a DNSSEC aware Registrar though!)
Signing Zones (3)

6. Looking at stats.labs.apnic.net/dnssec
The world average for using a DNSSEC aware resolver is 12.5%
For Africa, the value is 14%
Southern Africa is 38%
South Africa is 39% We are not doing badly!
8.8.8.8 and 8.8.4.4 are both DNSSEC Validating resolvers and
often used by aDSL providers as a backup
$ dig @8.8.4.4 dnsafrica.study
HEADER flags: qr rd ra ad
dnsafrica.study. A 196.29.61.1
DNSSEC Aware Resolvers (1)

7. How do I make my Recursive Resolver DNSSEC aware?
Take a look in “options” dnssec-validation auto;
Generally, most new BIND installations have the correct options
already set. May need the “Managed Keys” stanza added:
DNSSEC Aware Resolvers (2)
managed-keys {
. initial-key 257 3 8
"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
R1AkUTV74bU=";
};

8. In order to create a safer customer environment - many
Registrars will sign their customers Domain - perhaps even make
this the default.
DNSSEC, along with automatic SSL/TLS Certificate generation
and DANE (DNS-based Authentication of Named Entities) will
help secure access to Websites and E-Mail.
In South Africa, when a Domain transfer is done, the transfer is
managed by the Registrant. The new Registrar sends the
Transfer request via EPP which generates an e-mail request to
the Registrant. When the Registrant confirms the request, the
transfer happens immediately.

9. If the Domain was previously signed by a DNSSEC capable
Registrar and now moves to a Registrar that does not support
DNSSEC, the Domain will not work for 40% of South Africans
because the DS records for the Domain will still be in the parent
zone file.
Moving a Domain to a non-DNSSEC enabled Registrar not only
removes any DNS security - it may make the Domain completely
disappear.

10. So how do you view DNSSEC?
Questions?
Thoughts?
mark@dns.net.za
+27 11 568 2800 info@dns.business @dns_za
www.DNS.business