Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I have been assigned the task of improving security of a specific service. After

ID: 655945 • Letter: I

Question

I have been assigned the task of improving security of a specific service. After some analysis of the requirements we have come to the conclusion, that a certain aspect of the specified requirements can only be met through the use of DNSSEC.

I have a decent amount of experience with information security and cryptography, and I believe I understand the general principles in DNSSEC. However I have no hands on experience.

Usually such new technologies first get deployed to a subdomain of our primary domain name. But that approach doesn't seem to be possible with DNSSEC, since a proper deployment involves signing all the way from the root servers to the subdomain. Our domains currently have no DNSSEC and the hosting provider doesn't support DNSSEC.

Buying an experimental domain through a separate hosting provider might be an option, but due to lack of hands on experience with DNSSEC I have no clue what to look for in such a hosting provider.

I have also considered using one of the numerous services where one can acquire a free subdomain with dynamic DNS. However none of the providers I have looked at so far supports DNSSEC.

What would be a sensible next step to take in order to get the hands on experience I need?

Explanation / Answer

I recently added dnssec to a few domains, and here are a few random notes and tips from that experience:

First of all, make sure your domain registrar support DNSSEC. Some do, others (e.g. namecheap) don't. If your registrar don't support dnssec (i.e. don't have a method for adding DS records for your domain at the parent level) you need to switch registrar first.

Depending on which dns server you use, signing the domain can be an almost automated trivial task, or a fairly complex manual thing. My primary dns is Windows DNS, where you can just right-click on a zone, select DNSSEC/sign..., and a wizard takes you through the process.

Set up a test domain and go through the entire process on that one before doing on a real prod domain. If something goes wrong, you can bring your domain offline for users that use DNSSEC validating resolvers (e.g. Google DNS), so testing on an unused domain first is a very good idea.

GetDS is a neat tool on linux that can help you along the way to troubleshoot and validate your setup.

Related Questions

I have asked this question before, but the code I was given does not continue re
Question #3730426
I have asked this question before, but the code I was given does not continue re
Question #3730453
I have asked this question differently and gotten no answer. I have done the wor
Question #3192123
I have asked this question several times but keep getting the obvious response i
Question #3601996
I have asked this question several times but keep getting the obvious response i
Question #3603739
I have assignment to read a scientific research paper and then formulate its res
Question #3730131
I have attached a download link of the matlab data file. Please include matlab c
Question #2082428
I have attached a graph that was generated from an experiment. I would like some
Question #2070388
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I have been assigned a variation of the infamous ATM C++ program and am having t
Next
I have been assigned to a project where the end-product is a website as a music

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.