CMU-CS 426 *** Information Warfare *** Deployment of DNSSEC

Lab 1

Introduction to DNSSEC

Scenario 1: Setting up a DNSSEC-enabled DNS server

• Install a DNS server software (e.g., BIND or PowerDNS)

• Configure the server to enable DNSSEC
• Generate DNSSEC keys and sign DNS zone data
• Verify DNSSEC signatures using DNSSEC validation tools

Scenario 2: Troubleshooting DNSSEC configuration issues

• Identify common DNSSEC configuration issues

• Analyze DNSSEC-related error messages in server logs
• Use DNSSEC debugging tools (e.g., dig, dnssec-verify) to
troubleshoot DNSSEC problems
• Resolve DNSSEC configuration issues and verify successful
DNSSEC operation

Lab 2

Key Generation and Management in DNSSEC

Scenario 1: Generating DNSSEC keys

• Generate DNSSEC key pairs using DNSSEC key generation tools

• Understand the different types of DNSSEC keys (e.g., KSK, ZSK)
• Export and store DNSSEC keys securely

Scenario 2: Key rollover and key management

• Perform key rollover by generating new DNSSEC keys and retiring

old ones
• Update DNS zone data with the new keys
• Monitor the key rollover process and ensure DNSSEC integrity
during the transition

Lab 3

Zone Signing and Key Signing in DNSSEC

MSc, Trung, Thuan Nguyen @DTU-IS 1

CMU-CS 426 *** Information Warfare *** Deployment of DNSSEC

Scenario 1: Zone signing

• Configure zone signing parameters in DNS server configuration

• Sign DNS zone data using DNSSEC keys
• Publish the signed DNS zone data to the DNS infrastructure

Scenario 2: Key signing

• Generate and sign key signing keys (KSK) using DNSSEC key
management tools
• Update the DNSKEY record with the signed KSK
• Verify the DNSSEC chain of trust using DNSSEC validation tools

Lab 4

DNSSEC Deployment Best Practices

Scenario 1: Implementing DNSSEC for a domain

• Assess the DNS infrastructure readiness for DNSSEC deployment

• Plan and document the DNSSEC deployment process
• Communicate DNSSEC deployment to stakeholders (e.g., DNS
registrars, DNS resolvers)
• Monitor and validate DNSSEC operation for the domain

Scenario 2: DNSSEC deployment in a multi-provider environment

• Coordinate DNSSEC deployment across multiple DNS service

providers
• Establish trust relationships between DNS providers for DNSSEC
keys and zone transfers
• Verify DNSSEC operation across multiple DNS provider
infrastructures
Lab 5

DNSSEC Validation and Trust Anchors

Scenario 1: Configuring DNS resolvers for DNSSEC validation

• Configure DNS resolvers (e.g., BIND, Unbound) to perform

DNSSEC validation
• Enable DNSSEC validation in resolver configuration
• Test DNSSEC validation by querying DNSSEC-signed domains

MSc, Trung, Thuan Nguyen @DTU-IS 2

CMU-CS 426 *** Information Warfare *** Deployment of DNSSEC

Scenario 2: Managing trust anchors

• Understand the concept of trust anchors in DNSSEC

• Import and manage trust anchors in DNS resolvers
• Monitor and update trust anchors periodically for DNSSEC
security

Lab 6

DNSSEC and DNSSEC-related Protocols

Scenario 1: Integrating DNSSEC with DNS-over-HTTPS (DoH)

• Configure a DNS resolver to support DNS-over-HTTPS

• Enable DNSSEC validation for DNS-over-HTTPS queries
• Test DNSSEC validation over DNS-over-HTTPS connections

Scenario 2: DNSSEC and DNS-based Authentication of Named Entities

(DANE)

• Understand the concept of DNS-based Authentication of Named

Entities (DANE)
• Configure TLS certificates to be verified using DNSSEC
• Verify the authenticity of TLS certificates using DNSSEC and
DANE

Lab 7

DNSSEC Zone Transfers and Key Rollovers Scenario 1: Configuring

DNSSEC zone transfers

• Configure secure zone transfers between primary and secondary

DNS servers
• Ensure DNSSEC integrity during zone transfers
• Monitor and validate DNSSEC operation during zone transfers

Scenario 2: Key rollovers in DNSSEC

• Plan and execute key rollovers for DNSSEC keys

• Coordinate key rollovers across primary and secondary DNS
servers

MSc, Trung, Thuan Nguyen @DTU-IS 3

CMU-CS 426 *** Information Warfare *** Deployment of DNSSEC

• Verify the successful transition and continuity of DNSSEC

operation

Lab 8

DNSSEC and DNS Amplification Attacks Scenario 1: Mitigating DNS

amplification attacks using DNSSEC

• Understand the threat of DNS amplification attacks

• Configure DNS resolvers to respond with DNSSEC-enabled
responses
• Monitor and analyze DNS traffic to detect and mitigate DNS
amplification attacks

Scenario 2: DNSSEC and DNS cache poisoning prevention

• Understand the concept of DNS cache poisoning attacks

• Implement DNSSEC to protect against DNS cache poisoning
attacks
• Test the effectiveness of DNSSEC in preventing DNS cache
poisoning

Lab 9

DNSSEC Monitoring and Maintenance

Scenario 1: DNSSEC monitoring tools and techniques

• Identify DNSSEC-specific monitoring tools (e.g., DNSSEC

Analyzer, DNSViz)
• Monitor DNSSEC status and performance using these tools
• Set up alerts and notifications for DNSSEC-related events

Scenario 2: DNSSEC key rotation and maintenance

• Implement regular key rotation practices for DNSSEC keys

• Update DNS zone data with the new keys and ensure continuity of
DNSSEC operation
• Perform regular maintenance tasks to ensure DNSSEC integrity

MSc, Trung, Thuan Nguyen @DTU-IS 4