DNSSEC secured blog: raising awareness on DNS security

Posted on 2 September 2013 by Pier Carlo Chiodi

Hurray! My blog and the whole pierky.com domain are now running on a DNSSEC secured zone.

Thanks to the recent moving of the blog from the WordPress.org hosted infrastructure to the OVH hosting service I finally managed to enable IPv6 and DNSSEC support.

If you are using a DNSSEC-aware resolver (are you? check it out…) you can verify it yourself:

:~# dig +dnssec blog.pierky.com

; <<>> DiG 9.8.1-P1 <<>> +multi +dnssec blog.pierky.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31643
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
...

There it is the ad (Authenticated answer) flag.

If your resolvers are not DNSSEC-aware – what a shame! Tell your ISP to enable them 🙂 – you can try the same using an open resolver which supports DNSSEC, like those of Google…

:~# dig +dnssec blog.pierky.com @8.8.8.8

… or you can try an online test suite, like the one provided by Verisign Labs or DNSViz.

A nice browser addon – available for Internet Explorer, Firefox and Chrome – allows you to check the DNSSEC validity of the domain names in your browser window. It’s name is DNSSEC Validator and it works even if your resolvers are not DNSSEC enabled (you can set an external resolver different from the one in use in your operating system); here it is a screenshot showing my blog’s status:

DNSSEC secured blog as seen by DNSSEC Validator addon

(in the above screenshot you can see a green 6 too, originated from another Chrome addon, IPvFoo, which indicates whether the current page was fetched using IPv4 or IPv6).

This is just a small drop in the ocean of Internet, but I like to believe that it might raise awareness about DNS security matter and encourage its adoption (it seems that as of September 2012 only 1.7% of the visible DNS resolvers in the Internet were performing DNSSEC validation).

References

RIPE Labs – Counting and Re-Counting DNSSEC

dnssec-deployment.org – DNSSEC in ccTLDs, Past, Present, and Future/

dnssec-deployment.org – ccTLD DNSSEC Adoption as of 2013-07-30 [PDF]

CZ.NIC – DNSSEC Validator

Verisign Labs – Test if you are benefiting from DNSSEC

Verisign Labs – DNSSEC-Debugger

Sandia.gov – DNSViz

Bio
Latest Posts

Pier Carlo Chiodi

Italian, born in 1980, I started working in the IT/telecommunications industry in the late '90s; I'm now a system and network engineer with a deep knowledge of the global Internet and its core architectures, and a strong focus on network automation.

Latest posts by Pier Carlo Chiodi (see all)

Good MANRS for IXPs route servers made easier - 11 December 2020
Route server feature-rich and automatic configuration - 13 February 2017
Large BGP Communities playground - 15 September 2016

Pierky's Blog

mostly a system and network engineer's repository