I hope former US President Ronald Reagan would forgive me for borrowing and altering the slogan of his presidential campaign. After all, quite a few people seem to be doing it these days.
Not so long ago, managing a simple static second-level domain was not too difficult. All you had to do then was to prepare a zone file on a DNS server and add some records to it — and then just inform the parent zone via your registrar about the DNS servers hosting the zone file. There was no need for any further action, unless a change had occurred. This was before DNSSEC started. This new technology has introduced strong security mechanisms into the not-too-secure protocol. But as it goes, it was “something for something”. Unfortunately, with DNSSEC you can no longer let everything just run, it is necessary to re-sign the DNS records from time to time, change Zones Signing Keys (ZSK) and occasionally even Key Signing Keys (KSK). Unfortunately, the last mentioned operation usually requires communication with the parent entity (the parent zone administrator, or in our case, the top-level domain administrator, such as CZ.NIC). The new keys must be transferred using some trusted means outside the DNS protocol. Each zone administrator is thus forced to do something from time to time, and of course it is a source of frequent problems. Perhaps the biggest complication is when the communication with the registry takes place via the domain owner, who is technically incompetent. In such case, the problem is rather insolvable.
Therefore, the DNS community searched for ways to resolve this issue. The solution is described in the documents RFC 7344 and RFC 8078, which introduce a new mechanism for transferring information about used keys between the zone administrator and the parent entity without having to use any intermediary. In layman’s terms, the zone administrator would publish special records (CDS and CDNSKEY) that indicate with which keys the zone is/should be signed. The parent domain administrator would download these records and ensure that the entire DNS tree will continue to function, including DNSSEC signing. Using this mechanism would immensely simplify the whole problem, especially for cases when someone completely different from the registrar manages the domain. This mechanism is starting today in the .cz domain and more technical information will be available soon on this blog or in the recording of Jaromír Talíř’s speech at the IT 17 conference. However, if you already have CDNSKEY in your zone, a secure DNSSEC delegation should soon launch by itself.
Even with this, DNS would not be the same as before. It would be still necessary to at least partially take care of the key rotation, which is not a simple matter and it is very easy to make a mistake, as many have seen for themselves.
And that’s why we have come up with another new feature, which is implementation of automatic key management in our authoritative DNS daemon – Knot DNS, specifically in the 2.5.0 version. Once again, you will learn more technical information in one of our next articles. Thanks to this innovation, you will just have to set the zone for signing and the keys for rotation, and not worry about anything else.
Therefore, the DNS administration complexity has returned to that low level I have described at the beginning of this text. So, from this perspective, DNS is becoming great again!
DNSSEC Automation is a must! great job getting the Fred and Knot working together on this!