DNSSEC Workshop

From SdNOG wiki
Jump to: navigation, search


Hands on DNS and DNSSEC Three day course – Philip Paeps


At the end of this course, participants will be familiar with the Domain Name System and Security Extensions to the Domain Name System (DNSSEC). The course is taught "hands-on" in a virtualised FreeBSD environment. Participants will configure authoritative and recursive domain name servers and will learn to analyse and debug common misconfigurations and bugs


Participants should be familiar with Unix-style operating systems. The course is taught on FreeBSD but the environment will be familiar to people with a systems administration background on Linux or Solaris. Participants should bring their own laptops. The virtualised lab environment is hosted on a server in Germany. Reliable internet connectivity with reasonable latency is required


Systems administrators and network operators responsible for the DNS services in their organisation.

Workshop Requirements

  • Some understanding of DNS is required (for example, operational experience managing DNS servers is useful)
  • Some knowledge of Linux/UNIX command line
  • Good understanding of network basics (IP networking)
  • All participants will need to bring a laptop with WiFi access. You cannot use a tablet for this workshop.


Philip Paeps

Workshop Materials


Time Day 1: Sunday 23 August Day 2: Monday 24 August Day 3: Tuesday 25
08:30 – 09:15 (45 minutes) Registration and coffee Registration and coffee Registration and coffee
09:15 – 11:15 (120 minutes) • Introduction to DNS
• Resource records
• Delegation
• Queries, responses and flags
•Configuring authoritative nameservers
• Setting up DNS zonefiles
• Delegating authority
• Debugging common zonefile problems
• Introduction to DNSSEC
• New resource records and flags in DNSSEC
• Validating a domain from the root step by step
11:15 – 11:30 (15 minutes) Coffee break Coffee break Coffee break
11:30 – 13:00 (90 minutes) • DNS packet analysis
• DNS data flow
• DNS vulnerabilities
• Very brief introduction to cryptography
•Using TSIG to secure queries
• Key management: ZSKs and KSKs
• Theory of key rollover and best practices
13:00 – 14:00 (60 minutes) Lunch Lunch Lunch
14:00 – 15:30 (90 minutes) • Tools: dig, drill, host, nslookup, tcpdump
• Tools exercises
• Resolving a domain from the root by hand
• Configuring secondary nameservers
• Configuring TSIG to secure zone transfers
• Debugging common zone transfer issues
• Manually signing a zone with BIND 9
• Configuring automatic DNSSEC with BIND 9
• Brief introduction to OpenDNSSEC
15:30 – 15:45 (15 minutes) Coffee break Coffee break Coffee break
15:45 – 16:30 (45 minutes) • Introduction to the lab environment
• Discussion and Q&A
• Configuring unbound as a recursive resolver
• Discussion and Q&A
• Configuring unbound with trust anchors
• Demo with SSHFP and TLSA
• Discussion and Q&A