Good practices guide for deploying DNSSEC
Deploying DNSSEC requires a number of security details and procedures to be defined and followed with specific requirements as to timing.
This guide elaborates the following cases:
- signing of a domain’s zone;
- providing validating recursive resolver services;
- writing a DNSSEC practices statement;
- selecting products or outsourcing services.
Scope of this document
A company or an organisation that holds a domain name would want to deploy DNSSEC in its authoritative name-servers by signing the zone. Offering DNSSEC signed zones ensures that DNSSEC enabled resolvers will be able to verify replies received for the domain, securing the lookup process and subsequently having ‘clients’ connecting to the right source for services.
On the opposite side of the lookup process, a company or an organisation would want to deploy DNSSEC validation on its recursive resolver. Such deployment will ensure that the ‘users’ of the network will be offered validated replies for the lookups they request and will be subsequently connecting to the right source for services. However, the validation will only occur on domains that have deployed DNSSEC and a chain of trust originating from the resolver’s trust anchors to that domain can be constructed.
This document lists the considerations that have to be made and provides recommendations for the security details and procedures to be defined and followed with specific timing requirements in order to deploy DNSSEC:
- by domain holders, signing their domain zones;
- in validating recursive resolvers.
These considerations have to be addressed when specifications are compiled:
- to deploy DNSSEC using internal resources;
- for buying a DNSSEC enabled commercial-of-the-shelf (COTS) DNS product;
- to outsource all or part of the DNS service and sign a service level agreement (SLA).
