A number of checks are listed in:


that are intended to make sure a domain is ready for DNSSEC.

As I've been the DNSSEC and DANE implementations at now ~5.8 million domains, 
I'd like to suggest some additional checks:

     o  ensuring that the SOA record RRset is correctly signed, unlike:


        which is always incremented by 1 *after* the zone is signed!

     o  ensuring the NS RRset at the zone apex matches the glue RRs
        at the parent zone

     o  Verifying that TLSA lookups are NOT blocked and denial of
        existence works by querying for:

           _25._tcp.<nonce>.example.net. IN TLSA ?

        and verifying the NXDomain, NODATA, or (very rarely) wildcard
        TLSA records against the implied DNSKEYs.  The nonce can be some
        random hex string of 8 or more bytes, that is unlikely to be an
        actual name in the zone.

      o Do the above for all IPv4 and IPv6 addresses of all the nameservers,
        as some misconfigured firewalls block unexpected RR types for just
        IPv4 or just IPv6.

      o A similar probe for CAA records is likely appropriate, Let's Encrypt
        runs into CAA lookup issues for a non-negligible fraction of domains.

      o Check that if the zone uses RSA, the KSK and ZSK are at least 1280
        bits and at most 2048 bits.  This may be controversial, but for new
        deployments RSA <= 1024 bits is widely considered too weak, and RSA
        with more than 2048 bits creates signatures that are often too large
        for reliable UDP transport.

      o Check that if the zone uses NSEC3 the NSEC3PARAM iteration count is
        at most 150 (regardless of RSA key size).  Larger iteration counts
        are both inefficient and fragile in the face of algorithm rollovers.
        The optimal value is 0 (performs one round of SHA1, which is enough to
        deter casual zone walking).  The most popular value is 1, which is
        very likely because it is slightly unclear whether 0 means no hash
        or (as is the case) just one initial hash.  So hats off to the
        operations that chose 1, they understand that the count should be
        low, and are careful to avoid edge cases.


DNSOP mailing list

Reply via email to