Setting Up DNSSEC Successfully Requires Preparation
Deccio said that part of the problem is that DNSSEC has several kinds of keys, and keeping them all straight can be confusing. "You have the notion of a DNS key, and it can play several roles," he explained. "You have key signing keys, zone keys, standby keys, revoked keys. Then there's the relationship between the different zones. Then there's the key in the parent zone and links with the child zone." Deccio said that what he's accomplished is to boil everything down into a graphical representation of the trust relationship in the DNS system. The graphics are interactive, and there's a summary column that gives you the bottom line at a glance. If you have something wrong with your DNSSEC configuration, it shouts "BOGUS" in a big red sign. Regular old DNS is simply listed as insecure.Even looking at a plain old DNS site DNSViz will not only tell you what level of security is available to its address entries, but what alias addresses it's also pointing to. When you look at the graphical representation of the trust chain, the levels of trust are indicated, and mousing over the arrows will tell you where the connection stops being trusted, which is probably at the beginning of your organization's site. You can also find out what DNS servers are responding and it includes IPv4 and IPv6 DNS entries.The good news about DNSSEC is that it exists and that most sites that are at risk of attack can use it. The bad news is that using DNSSEC isn't something done casually. It requires careful planning along with some actual training of your IT staff if you have any hope of getting it right. But the rewards, such as not having a DNS-based attack to contend with, are considerable. Fortunately, Sandia National Labs has decided to make DNSViz available to the public, so anyone can check to see how they stand in regards to DNS security. Deccio said that he's planning to keep on expanding the functionality of DNSViz, although he will need some additional resources to do this. He also said that he's planning to make it easier to incorporate DNSViz into automated security systems. "It's a work in progress, and I'm hoping to expand the scope," Deccio said. "I'd like people to have a programmatic interface. If you could plug into a API, you could have a regular monitoring system."